A remote attacker might be able to bypass the sandbox and execute arbitrary code on the affected host via a crafted page containing an SVG object, a Vorbis audio file or some unicode characters. These issues can generally not be exploited through email because scripting is then disabled, but can be exploited in browser-like contexts.