The new flaw is in the Password Manager feature of the browser, which stores log-in details for websites so that users do not have to input them every time they visit a protected website.
Users are vulnerable because the Password Manager fails to verify that the URL is legitimate.
"Given the new nature of this type of attack, Chaplin has named this a Reverse Cross-Site Request [RCSR] vulnerability," said the company.
"This flaw could affect anyone visiting a blog or forum website that allows user-contributed HTML code to be added."
Chaplin claims that the attack has already been used to steal the log-in details of MySpace users, who were redirected to a false log-in page where their details were harvested.
The bug is as yet unpatched and Mozilla is advising users to turn off the Password Manager feature until a fix is available.
"This attack is much more likely to succeed because Internet Explorer and Firefox are not designed to check the destination of form data before the user submits them," said Chaplin.
"This behaviour does not occur in Internet Explorer unless the RCSR form appears on the same page as a legitimate log-in form, so IE actually behaves better in some situations.
"Users of Firefox and Internet Explorer need to be aware that their information can be stolen in this way when visiting blog and forum websites at trusted addresses."
Chapin has informed Microsoft of the problem.
Additional reporting by Clement James.
Wikileaks Vault 7 suspect Joshua Schulte fingered by FBI after re-using smartphone passwords on his PCs
Joshua Schulte indicted on 13 counts relating to Vault 7 leaks and trading in images of child abuse
Alexa for Hospitality will link with existing systems so guests can order room service and control the air con
Massive volcanic eruptions could have warmed Mars' surface sufficiently for oceans to form
Examination of fruit flies' brains generated more than one billion data points for scientists to analyse