Comment 0 for bug 16232

Sites can use the _search target to open links in the Firefox sidebar. Two
missing security checks allow malicious scripts to first open a privileged page
(such as about:config) and then inject script using a javascript: url. This
could be used to install malicious code or steal data without user interaction.

Fixed in: Firefox 1.0.3 / Mozilla Suite 1.7.7

Workaround: Disable Javascript

References:

 - https://bugzilla.mozilla.org/show_bug.cgi?id=290079