A report from Michael Zalewski has been released, stating that a new security vulnerability affects Firefox 2.0.0.1 and possibly earlier versions. This flaw could allow a malicious web site to impersonate an authentic one and set a cookie on its behalf, which could be used to perform cross-windows and cross-frame attacks. In this way personal information exchanged via Ajax could be compromised.

Zalewski has released a test case to demonstrate the vulnerability, and has also recommended this workaround:

    1. Enter about:config in the location bar to access Firefox’s advanced preferences.
    2. Right click and select New -> String.
    3. Enter capability.policy.default.Location.hostname.set for the preference name.
    4. Enter noAccess for the preference value.
    5. Restart Firefox.

It’s still unknown if this will be fixed in upcoming 2.0.0.2 version of Firefox, due by the end of February.