Web content could access the nsISelectionPrivate interface of the Selection object and use it to add a SelectionListener. The listener would be called when the user did a "Find" on the page or a "select all", and as intended this shouldn't cause any problems. But as with escaping the PAC sandbox in MFSA 2006-31 and content-defined DOM setters in MFSA 2006-37 moz_bug_r_a4 figured a way to leverage the fact that the notifications were created in a privileged context into arbitrary code execution.
Disable JavaScript until you've upgraded to a fixed version.
Vulmon