Mozilla security researcher moz_bug_r_a4 reported that the wrapper class
XPCSafeJSObjectWrapper (SJOW) on the Mozilla 1.9.1 development branch has
a logical error in its scripted function implementation that allows the
caller to run the function within the context of another site. This is
a violation of the same-origin policy and could be used to mount an XSS
Upstream bug report (not public yet):
This flaw only affected the 3.5 Firefox branch. I'm closing it as CURRENTRELEASE as it's fixed everywhere we ship Firefox.