Opera and Firefox contains vulnerable code for handling BMP files with partial palette. The code allows to craft a BMP file that leaks information from the heap. This information can be sent to remote server using canvas tag (HTML 5) and JavaScript.

http://www.securiteam.com/securitynews/5ZP0B20NFY.html