From the “did you guess that?” files:
This is a “High” impact vulnerability that if exploited could potentially have been used by a malicious website to steal private data from users who are authenticated on the redirected website. The attack would have needed a same-domain JavaScript URL that would have redirects victims to a different domain that contain non-parsable JavaScript.
I personally to date have not seen a weaponized version of this attack (though it doesn’t on the surface sound to be to difficult to build). Kudos to Mozilla for admitting they made an error here though – and more importantly for fixing it so quickly.
Now Firefox 2.x can finally be put to rest.
I am however curious as to whether or not this same attack is possible in Firefox 3.1 Beta 2 which was not updated for this fix (Firefox 3.0.0.5 was). Firefox 3.1 however uses the Tracemonkey JavaScript engine and has many security enhancements in it over the regular Firefox 3.x browsers.