Mozilla Foundation Security Advisory 2005-49
Title: Script injection from Firefox sidebar panel using data:
Severity: High
Reporter: Kohei Yoshino
Products: Firefox
Fixed in: Firefox 1.0.5
Description
Sites can use the _search target to open links in the Firefox sidebar. A
missing security check allows the sidebar to inject data: urls containing
scripts into any page open in the browser. This could be used to steal
cookies, passwords or other sensitive data.
Workaround
Disable Javascript
References
https://bugzilla.mozilla.org/show_bug.cgi?id=294074