Likely fix for the user.dat open file descriptor leak:
If js_CreateUserObject(cx,parent,cfg,"name",...) is called multiple times
(e.g. before login and after login), the successive calls will reuse the
previously allocated JS object and allocated private data memory. However, the
private data memory (which includes the descriptor of an open user.dat file,
if it has been opened), was always zeroed, even if it was being reused. This
would leak open file descriptor.

So any (pre)login scripts or web scripts that use the "user" object (which
is all zeroed-out before login) and then allows a user to subsequently login,
would leak a file descriptor.