
Two independent researchers outlined the vulnerability in a presentation over the weekend at the ToorCon hacker conference.
The pair claimed that the vulnerability could allow attackers to take control of a system through a specially crafted webpage.
Mozilla security chief Window Snyder said in a blog posting on the Mozilla developer site that it is possible to force browser crashes using the vulnerability.
Snyder did not confirm that the flaw could be exploited to allow remote code execution.
The vulnerability affects the 'chrome context' component of Firefox, according to Eric Sites, vice president of research and development at security vendor Sunbelt Software.
"Chrome context provides certain trusted code such as JavaScript with full access to Firefox's resources," Sites told vnunet.com.
"If a script gets into that chrome context, then it's just like you copied that script to your computer and ran it with no restrictions whatsoever."
Although there are no known exploits of the vulnerability, Sites warned that the flaw could be included in the WebAttacker toolkit which provides malware authors with an automated tool to craft new worms and viruses.
"We have already seen [WebAttacker] JavaScript exploits targeted at Firefox, so I am sure these guys will be picking up these scripts and implementing them in WebAttacker pretty quickly," he said.
Sites compared the impact of the Firefox vulnerability to the ActiveX software zero-day exploits that hit Microsoft's Internet Explorer in the past week.
In two separate incidents, attackers used an unpatched vulnerability in Explorer to execute arbitrary code. Microsoft rushed out a patch for the VML flaws last week, but the ActiveX flaw remains unpatched.
The open source status of Firefox allows its developer community to quickly create a patch once a solution has been found, but Sites warned that the vulnerability is still "pretty dangerous" to users.
"One thing that Mozilla has going for it is an interesting framework that allows for sending out updates very quickly," he said.