XrayWrappers can be bypassed to run user defined methods in a privileged context
Description
Mozilla security researcher moz_bug_r_a4 reported that XrayWrappers can be bypassed to call content-defined toString and valueOf methods through DefaultValue. This can lead to unexpected behavior when privileged code acts on the incorrect values.
Affected Applications
Thunderbird
Thunderbird ESR