The following vulnerabilities have been reported:

• Benjamin Smedberg discovered that chrome URL's could be made to reference remote files.
• Developers in the Mozilla community looked for and fixed several crash bugs to improve the stability of Mozilla clients.
• "shutdown" reports that cross-site scripting (XSS) attacks could be performed using the construct XPCNativeWrapper(window).Function(...), which created a function that appeared to belong to the window in question even after it had been navigated to the target site.
• "shutdown" reports that scripts granting the UniversalBrowserRead privilege can leverage that into the equivalent of the far more powerful UniversalXPConnect since they are allowed to "read" into a privileged context.
• "moz_bug_r_a4" reports that A malicious Proxy AutoConfig (PAC) server could serve a PAC script that can execute code with elevated privileges by setting the required FindProxyForURL function to the eval method on a privileged object that leaked into the PAC sandbox.
• "moz_bug_r_a4" discovered that Named JavaScript functions have a parent object created using the standard Object() constructor (ECMA-specified behavior) and that this constructor can be redefined by script (also ECMA-specified behavior).
• Igor Bukanov and shutdown found additional places where an untimely garbage collection could delete a temporary object that was in active use.
• Georgi Guninski found potential integer overflow issues with long strings in the toSource() methods of the Object, Array and String objects as well as string function arguments.
• H. D. Moore reported a testcase that was able to trigger a race condition where JavaScript garbage collection deleted a temporary variable still being used in the creation of a new Function object.
• A malicious page can hijack native DOM methods on a document object in another domain, which will run the attacker's script when called by the victim page.
• Secunia Research has discovered a vulnerability which is caused due to an memory corruption error within the handling of simultaneously happening XPCOM events. This leads to use of a deleted timer object.
• An anonymous researcher for TippingPoint and the Zero Day Initiative showed that when used in a web page Java would reference properties of the window.navigator object as it started up.
• Thilo Girmann discovered that in certain circumstances a JavaScript reference to a frame or window was not properly cleared when the referenced content went away.