It's possible to convince LastPass 4.1.43 that any website is the privileged domain lastpass.com, because LastPass incorrectly assumed that global properties couldnt be set across isolated worlds.

If you have the "Binary Component" installed, this even allows arbitrary code execution. Full details here.

Click the button below to run calc.exe (This demo is Windows w/Chrome only, but other platforms and browsers are affected).