Background on this issue is available here.
An attacker can use this vulnerability to collect session information, including session cookies and session history. Firefox is not vulnerable by default. Only users that have installed “flat” packed add-ons are at risk. Discussion about “flat” packaged add-ons is here. A partial list of “flat” packed add-ons is available here. If you are an author of any of these add-ons, please release an update to your add-on that uses .jar packaging.