A regression error in Mozilla Firefox 2.x before 2.0.0.2 and 1.x before 1.5.0.10, and SeaMonkey 1.1 before 1.1.1 and 1.0 before 1.0.8, allows remote attackers to execute arbitrary JavaScript as the user via an HTML mail message with a javascript: URI in an (1) img, (2) link, or (3) style tag, which bypasses the access checks and executes code with chrome privileges.
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=230733
http://secunia.com/advisories/24384
http://secunia.com/advisories/24395
http://secunia.com/advisories/24455
http://secunia.com/advisories/24457
http://secunia.com/advisories/24650
http://secunia.com/advisories/25588
http://securitytracker.com/id?1017726
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9749
http://www.debian.org/security/2007/dsa-1336
http://www.mozilla.org/security/announce/2007/mfsa2007-09.html
http://www.redhat.com/support/errata/RHSA-2007-0078.html