Security researcher O. Andersen reported that undefined positions within various 8 bit character encodings are mapped to the sequence U+FFFD which when displayed causes the immediately following character to disappear from the text run. This could potentially contribute to XSS problems on sites which expected extra characters to be present within strings being sanitized on the server.
This is now public: http://www.mozilla.org/security/announce/2010/mfsa2010-44.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2010:0547 https://rhn.redhat.com/errata/RHSA-2010-0547.html
xulrunner-1.9.2.7-1.fc13, firefox-3.6.7-1.fc13, mozvoikko-1.0-12.fc13, gnome-web-photo-0.9-10.fc13, perl-Gtk2-MozEmbed-0.08-6.fc13.15, gnome-python2-extras-2.25.3-20.fc13, galeon-2.0.7-30.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
thunderbird-3.1.1-1.fc13, sunbird-1.0-0.26.b2pre.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.