Jesper Johansson pointed out that Mozilla did not percent-encode spaces and double-quotes in URIs handed off to external programs for handling, which can cause the receiving program to mistakenly interpret a single URI as multiple arguments. The danger depends on the arguments supported by the specific receiving program, though at the very least we know Firefox (and Thunderbird) 220.127.116.11 and older could be used to run arbitrary script (see MFSA 2007-23). The vast majority of programs do not have dangerous arguments, though many could still be made to do something unexpected.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):