Spin off from bug 410177 comment 27. With reference to http://mxr.mozilla.org/mozilla/source/mail/components/addrbook/content/abCardViewOverlay.js#442 for Thunderbird and http://mxr.mozilla.org/mozilla/source/mailnews/addrbook/resources/content/abCardViewOverlay.js#441 for SeaMonkey - Addressbook creates a few mailto links and it is possible that these can be exploited. As dmose said: "I suspect that it's possible to exploit this URI creation in weird ways by having a remote (e.g. LDAP) addressbook with a hostile email address or convincing someone to import a hostile vCard. Can you file a spinoff bug to look into that?" BTW, The code exists in mozilla/mail also, but does not effect Thunderbird. Both in Thunderbird and Seamonkey, cvAddAddressNodes is called from DisplayCardViewPane - for Thunderbird 'null' is passed as the first argument (node) since there is no element by id cvAddresses in Thunderbird.
Just a needs-investigation bug!