CVE 2008-4065

Mozilla Firefox before and 3.x before 3.0.2, Thunderbird before, and SeaMonkey before 1.1.12 allow remote attackers to bypass cross-site scripting (XSS) protection mechanisms and conduct XSS attacks via byte order mark (BOM) characters that are removed from JavaScript code before execution, aka "Stripped BOM characters bug."

See the CVE page on for more details.