js/src/jstracer.cpp in the Just-in-time (JIT) JavaScript compiler (aka TraceMonkey) in Mozilla Firefox 3.5 before 3.5.1 allows remote attackers to execute arbitrary code via certain use of the escape function that triggers access to uninitialized memory locations, as originally demonstrated by a document containing P and FONT elements.
https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00909.html
https://www.exploit-db.com/exploits/40936/
https://bugzilla.mozilla.org/show_bug.cgi?id=503286
http://www.vupen.com/english/advisories/2009/1868
http://www.mozilla.org/security/announce/2009/mfsa2009-41.html
http://www.kb.cert.org/vuls/id/443060
http://www.h-online.com/security/First-Zero-Day-Exploit-for-Firefox-3-5--/news/113761
http://www.exploit-db.com/exploits/9181
http://www.exploit-db.com/exploits/9137
http://voices.washingtonpost.com/securityfix/2009/07/stopgap_fix_for_critical_firef.html
http://sunsolve.sun.com/search/document.do?assetkey=1-66-266148-1
http://secunia.com/advisories/35798
http://isc.sans.org/diary.html?storyid=6796
http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/