Security researcher Fabiaacute;n Cuchietti discovered that it was possible to bypass the restriction on JavaScript execution in mail by embedding an lt;iframegt; with a data: URL within a message. If the victim replied or forwarded the mail after receiving it, quoting it quot;in-linequot; using Thunderbird"s HTML mail editor, it would run the attached script. The running script would be restricte ...