Mozilla security developer Roberto Suggi Liverani reported that ParanoidFragmentSink, a class used to sanitize potentially unsafe HTML for display, allows javascript: URLs and other inline JavaScript when the embedding document is a chrome document. While there are no unsafe uses of this class in any released products, extension code could have potentially used it in an unsafe manner.
This is now public: http://www.mozilla.org/security/announce/2011/mfsa2011-08.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0311 https://rhn.redhat.com/errata/RHSA-2011-0311.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2011:0310 https://rhn.redhat.com/errata/RHSA-2011-0310.html