Security researcher Mario Heiderich reported that javascript
could be executed in the HTML feed-view using <embed> tag
within the RSS <description>. This problem is due to
<embed> tags not being filtered out during parsing and can
lead to a potential cross-site scripting (XSS) attack. The flaw existed in a
parser utility class and could affect other parts of the browser or add-ons
which rely on that class to sanitize untrusted input.
Vulmon