As reported and fixed upstream for Seamonkey, Firefox suffers from a serious, remotely exploitable crash when using the JavaScript call "document.createRange().extractContents()". As this error drove me nuts when using TYPO3, which apparently uses such a call in it's backend JS code, and I patched the sources on my own using the patch v1.1 supplied in the upstream bug report. There is no clear information on whether it'll get fixed in FF 1.5.0.8 or not, but why wait when we can fix this right now. Before applying the patch, Firefox crashes when entering javascript:document.createRange().extractContents(); into the URL bar. After applying, just nothing happens, and Firefox continues running smoothly. I did not add a new ebuild intentionally, since the patch will almost certainly go into the mozilla-firefox-*-patches archive, if accepted.
Created attachment 98661 [details, diff] Patch fixing the described issue This patch has been reviewed and accepted upstream, and works perfectly for me.
Fixed in stable.