A bug exists in Firefox (1.5 branch only) in the way it handles iframe.contentWindow.focus() calls. A malicious web page could potentially execute arbitrary code as the user running firefox. The initial post to bugtraq can be found here: http://www.securityfocus.com/archive/1/archive/1/431878/100/0/threaded
This issue has been fixed in FEDORA-2006-547