A shared worker created from a "data:" URL in one tab can be shared by another tab with a different origin, bypassing the same-origin policy. This vulnerability affects Firefox < 59.
https://bugzilla.mozilla.org/show_bug.cgi?id=1419166
https://usn.ubuntu.com/3596-1/