Firefox doesn't properly handle escaped characters. It is possible to load any JavaScript file on a victims machine. This attack is similar to previously disclosed vulnerabilities but is not constrained to basic Firefox files.

http://www.securiteam.com/securitynews/5CP0M0UN5A.html