diff --git a/dom/plugins/base/nsJSNPRuntime.cpp b/dom/plugins/base/nsJSNPRuntime.cpp
index 4594ef73c7e2..47358e54e999 100644
--- a/dom/plugins/base/nsJSNPRuntime.cpp
+++ b/dom/plugins/base/nsJSNPRuntime.cpp
@@ -1904,7 +1904,8 @@ nsNPObjWrapper::OnDestroy(NPObject *npobj)
   }
 }
 
-// Look up or create a JSObject that wraps the NPObject npobj.
+// Look up or create a JSObject that wraps the NPObject npobj. The return value
+// is always in the compartment of the passed-in JSContext (it might be a CCW).
 
 // static
 JSObject *
diff --git a/dom/plugins/base/nsNPAPIPlugin.cpp b/dom/plugins/base/nsNPAPIPlugin.cpp
index 48c621a63887..8097f841b8a3 100644
--- a/dom/plugins/base/nsNPAPIPlugin.cpp
+++ b/dom/plugins/base/nsNPAPIPlugin.cpp
@@ -1052,11 +1052,16 @@ _evaluate(NPP npp, NPObject* npobj, NPString *script, NPVariant *result)
   options.setFileAndLine(spec, 0);
   JS::Rooted<JS::Value> rval(cx);
   JS::AutoObjectVector scopeChain(cx);
-  if (obj != js::GetGlobalForObjectCrossCompartment(obj) &&
-      !scopeChain.append(obj)) {
+  if (!JS_IsGlobalObject(obj) && !scopeChain.append(obj)) {
     return false;
   }
-  obj = js::GetGlobalForObjectCrossCompartment(obj);
+  // nsNPObjWrapper::GetNewOrUsed returns an object in the current compartment
+  // of the JSContext (it might be a CCW).
+  MOZ_RELEASE_ASSERT(js::GetObjectCompartment(obj) ==
+                     js::GetContextCompartment(cx),
+                     "nsNPObjWrapper::GetNewOrUsed must wrap its return value");
+  obj = JS::CurrentGlobalOrNull(cx);
+  MOZ_ASSERT(obj);
   nsresult rv = NS_OK;
   {
     nsJSUtils::ExecutionContext exec(cx, obj);