The previous LastPass vulnerability was fixed incompletely in Firefox. This is because Firefox includes content scripts in neterror pages, so LastPass scripts are still loaded for invalid URLs.

An easy way to demonstrate this is to force LastPass to open the vault, and then inject some script that reads the first password. Full details are here.

(Note: you could also just use this as a UXSS, or to steal arbitrary files via file:///)