Mozilla Firefox 68, Mozilla Firefox ESR 60.8 and Mozilla Thunderbird 60.8: When an inner window is reused, it does not consider the use of <code>document.domain</code> for cross-origin protections. If pages on different subdomains ever cooperatively use <code>document.domain</code>, then either page can abuse this to inject script into arbitrary pages on the other subdomain, even those that did no ...