"[Security researcher] Gregory Fleischer demonstrated that it was possible to generate a fake HTTP Referer header by exploiting a timing condition when setting the 'window.location' property," said Mozilla in a security advisory.
"This could be used to conduct a Cross-Site Request Forgery attack against websites that rely only on the Referer header as protection against such attacks."
Customers still using Firefox 1.5 are strongly advised to upgrade immediately, while those using version two should get updated automatically.
"If you already have Firefox 2.x, you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting 'Check for Updates' from the Help menu," said Mozilla.
Mozilla released a beta of Firefox 3.0 on 20 November offering improved phishing protection, new antivirus software and parental control settings.
_(20).jpg&h=140&w=231&c=1&s=0)
_(22).jpg&h=140&w=231&c=1&s=0)
.png&h=140&w=231&c=1&s=0)
_(26).jpg&w=100&c=1&s=0)
iTnews Executive Retreat - Security Leaders Edition
_(1).jpg&h=140&w=231&c=1&s=0)
