Mozilla Foundation Security Advisory 2010-14
Title: Browser chrome defacement via cached XUL stylesheets
Announced: March 23, 2010
Reporter: Wladimir Palant
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 3.6.2
Mozilla developer Wladimir Palant reported that stylesheets used in remote XUL documents can wind up in the XUL cache where it can later be accessed by browser chrome for use in styling the user interface. A malicious website could use this issue to pollute a user's XUL cache and change style attributes of their browser such as font size and color.