The following vulnerabilities have been reported:

• Benjamin Smedberg discovered that chrome URLss could be made to reference remote files.
• Developers in the Mozilla community looked for and fixed several crash bugs to improve the stability of Mozilla clients.
• "shutdown" reports that cross-site scripting (XSS) attacks could be performed using the construct XPCNativeWrapper(window).Function(...), which created a function that appeared to belong to the window in question even after it had been navigated to the target site.
• "shutdown" reports that scripts granting the UniversalBrowserRead privilege can leverage that into the equivalent of the far more powerful UniversalXPConnect since they are allowed to "read" into a privileged context.
• "moz_bug_r_a4" discovered that Named JavaScript functions have a parent object created using the standard Object() constructor (ECMA-specified behavior) and that this constructor can be redefined by script (also ECMA-specified behavior).
• Igor Bukanov and shutdown found additional places where an untimely garbage collection could delete a temporary object that was in active use.
• Georgi Guninski found potential integer overflow issues with long strings in the toSource() methods of the Object, Array and String objects as well as string function arguments.
• H. D. Moore reported a testcase that was able to trigger a race condition where JavaScript garbage collection deleted a temporary variable still being used in the creation of a new Function object.
• A malicious page can hijack native DOM methods on a document object in another domain, which will run the attacker's script when called by the victim page.
• Secunia Research has discovered a vulnerability which is caused due to an memory corruption error within the handling of simultaneously happening XPCOM events. This leads to use of a deleted timer object.