It's possible to convince LastPass 4.1.43 that any website is the privileged
domain lastpass.com, because LastPass incorrectly assumed that global
properties couldnt be set across isolated worlds.
If you have the "Binary Component" installed, this even allows arbitrary code execution.
Full details here.
Click the button below to run calc.exe (This demo is Windows w/Chrome only, but other platforms and browsers are affected).