The open source browser would normally restrict the level of access given to such code, but when the code is delivered through Internet Explorer the restrictions are not in place.
An attacker could simply attach the malicious code to a URL instructing Internet Explorer to launch Firefox and run the exploit.
A similar flaw was later found to exist in AIM instant messaging clients. The researchers who discovered the AIM flaw suggested that both vulnerabilities are down to the way the Uniform Resource Identifiers are handled.
Mozilla stressed that the fix will only prevent the Firefox end of the attack. Microsoft said that it is investigating the Internet Explorer reports.
Along with the cross-browser vulnerability, two further critical flaws were addressed in the Firefox update.
The first allowed attackers to execute arbitrary code by way of what Mozilla categorises as "an unspecified element outside a document".
The update also includes fixes for a pair of cross-site scripting vulnerabilities and a flaw that could allow an attacker to access a user's web cache.
The update is available through the Firefox website or through the browser's automatic update feature.
And, yep, it'll run Android rather than RiscOS
US engineering giant's cost-cutting outsourcing plan is on the rocks, according to insiders
HP Envy X2 laptop only affordable if you've got loadsamoney
Counterfeit code-signing certificates enabling hackers to hide malware being sold by cyber criminals
Certificates can be used as part of layered obfuscation to evade detection by anti-virus software