Mozilla confirmed the presence of an unpatched flaw in its browser on Thursday, with a post promising to release a fix at the end of the month.
The flaw, discovered by security researcher Evgeny Legerov and reported by The Reg last month, creates a means to inject hostile code on vulnerable systems. The vulnerability is due to be fixed in version 3.6 of Firefox on 30 March.
In the meantime, the more technically adept or security-conscious user can update to the beta version of the 3.6.2 release, which already plugs the security flaw.
In other browser security news, Google updated the Windows version of its Chrome browser on Wednesday, addressing nine vulnerabilities of varying seriousness.
Left unfixed the flaws created a possible mechanism to run spoofing attacks or bypass security restrictions, such as sandboxing. Users are advised to update to version 188.8.131.526.
A flaw in the WebKit engine used by Chrome earned its finder, Sergey Glazunov, the first $1,337 pay-out from Google's bug bounty program.
The release also adds features and fixes stability bugs as explained in an advisory here. Google's update comes just days before the much-watched pwn2own hacking contest at the CanSecWest security conference.