Mozilla Firefox before 52.0 and Thunderbird before 52.0 :- When adding a range to an object in the DOM, it is possible to use addRange to add the range to an incorrect root object. This triggers a use-after-free, resulting in a potentially exploitable crash.