firefox is vulnerable to arbitrary code execution. A flaw was found in the way Firefox sanitized HTML content in extensions. If an extension loaded or rendered malicious content using the ParanoidFragmentSink class, it could fail to safely display the content, causing Firefox to execute arbitrary JavaScript with the privileges of the user running Firefox.
downloads.avaya.com/css/P8/documents/100133195
wizzrss.blat.co.za/2009/11/17/so-much-for-nsiscriptableunescapehtmlparsefragment/
www.mandriva.com/security/advisories?name=MDVSA-2011:041
www.mandriva.com/security/advisories?name=MDVSA-2011:042
www.mozilla.org/security/announce/2011/mfsa2011-08.html
www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.14
www.security-assessment.com/files/whitepapers/Cross_Context_Scripting_with_Firefox.pdf
www.securityfocus.com/archive/1/510883/100/0/threaded
access.redhat.com/errata/RHSA-2011:0310
access.redhat.com/security/updates/classification/#critical
bugzilla.mozilla.org/show_bug.cgi?id=562547
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12532