The new flaw is in the Password Manager feature of the browser, which stores log-in details for websites so that users do not have to input them every time they visit a protected website.
Users are vulnerable because the Password Manager fails to verify that the URL is legitimate.
"Given the new nature of this type of attack, Chaplin has named this a Reverse Cross-Site Request [RCSR] vulnerability," said the company.
"This flaw could affect anyone visiting a blog or forum website that allows user-contributed HTML code to be added."
Chaplin claims that the attack has already been used to steal the log-in details of MySpace users, who were redirected to a false log-in page where their details were harvested.
The bug is as yet unpatched and Mozilla is advising users to turn off the Password Manager feature until a fix is available.
"This attack is much more likely to succeed because Internet Explorer and Firefox are not designed to check the destination of form data before the user submits them," said Chaplin.
"This behaviour does not occur in Internet Explorer unless the RCSR form appears on the same page as a legitimate log-in form, so IE actually behaves better in some situations.
"Users of Firefox and Internet Explorer need to be aware that their information can be stolen in this way when visiting blog and forum websites at trusted addresses."
Chapin has informed Microsoft of the problem.
Additional reporting by Clement James.
Some parts of Atacama have not received rainfall for 500 years - but a sudden deluge of water upset the Desert's delicate biological balance
Spitzer Space Telescope could not spot Oumuamua, suggesting that it is actually pretty small
Greenland crater one of the 25 largest impact craters on Earth
This long-sought progenitor star was identified in an image captured by Hubble in 2007