Yup, you read it right.. a cross-site scripting exploit for firefox 1.x has been released today.. Obviously remote exploitable which can give the attacker system access. I guess it was just a matter of time, let's hope the folks at Mozilla will release a patch RSN.
Until then, you can use the following work-around:
2. Disable the "software installation" function
Read the full report here.
Update: Firefox-1.0.4 has been released, in which the above mentioned exploit has been fixed.