When using a trusted website, such as a Paypal or ebanking site, malicious code can be inserted within the page if an untrusted or compromised website is open alongside.
"Basically, the flaw means that if you are viewing a trusted site in one window and open a site belonging to a spoofer in another window, the spoofer can insert code in the window showing the trusted site," said a Mozilla spokesperson on the company's website. "This is a theoretical vulnerability, there have been no actual examples of anyone doing it."
The flaw affects Firefox 1.0.4, Mozilla 1.7.8 and Deer Park Alpha. Vulnerability assessment company Secunia rated it as "moderately critical". The firm revealed details of a similar flaw in Mozilla software in July last year, a process known as "frame injection".
The news came after two months of vulnerability scares at Mozilla. In May SC reported the group had updated its Firefox browser to plug critical vulnerabilities in its browser.
Earlier in the year the browser announced itself as the first real challenge to Internet Explorer's hegemony by passing 50 million user downloads.
Of the recent vulnerability Secunia offered the following pithy advice within its advisory: "Do not browse untrusted websites while browsing trusted sites."