Window Snyder, Mozilla’s chief of security, confirmed a data leak vulnerability in Firefox’s directory traversal mechanism. The flaw has been graded as low risk and was brought to light as a proof of concept.

An excerpt from

When a “flat” add-on is present, an extension which stores its information within Javascript files as opposed to .jar files, an attacker exploiting this flaw may be able to retrieve data or profile a compromised system. Extensions such as Greasemonkey and Download Statusbar may be affected.

The bug was traced the way escape sequences are handled, leading to file access on a user’s PC, even though the browser is fully patched.

More information:

Firefox leaks information (Heise Security)

Mozilla Says Flaw Could Lead to Data Leak (PC World)

Mozilla says that flaw could lead to data leak (Washington Post)

Mozilla confirms Firefox proof of concept information leak vulnerability (ZDNet)