moz_bug_r_a4 reported that the src
attribute of an IMG
element loaded in a frame could be changed to a javascript: URI that was able
to bypass the protections against cross-site script (XSS) injection.
The injected script could steal credentials and financial data, or perform
destructive actions on behalf of a logged-in user.
Disable JavaScript until you can upgrade to a fixed version.
Exploit details withheld until after the active update period.