The GeckoActiveXObject function in Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, generates different exception messages depending on whether the referenced COM object is listed in the registry, which allows remote attackers to obtain potentially sensitive information about installed software by making multiple calls that specify the ProgID values of different COM objects.
http://secunia.com/advisories/37699
http://secunia.com/advisories/37785
http://securitytracker.com/id?1023346
http://securitytracker.com/id?1023347
http://www.mozilla.org/security/announce/2009/mfsa2009-71.html
http://www.securityfocus.com/bid/37349
http://www.securityfocus.com/bid/37360
http://www.vupen.com/english/advisories/2009/3547
https://bugzilla.mozilla.org/show_bug.cgi?id=503451
https://bugzilla.redhat.com/show_bug.cgi?id=546729
https://exchange.xforce.ibmcloud.com/vulnerabilities/54798
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7958