Add-ons installed by third party programs are now disabled by default, as if add-on management hasn't been enough of a nightmare already.
Code execution via NoWaiverWrapper
An internal privilege check failed to respect the NoWaiverWrappers introduced with Firefox 4. This could result in elevated privilege being granted to web content.
Cross-origin image theft on Mac with integrated Intel GPU
Random images from GPU memory were showing up in WebGL textures. Once incorporated into the WebGL graphics it is possible for a site to programatically read the image data and potentially gain sensitive data from other things that had been displayed earlier. This problem is due to a bug in the driver for Intel integrated GPUs on recent Mac OS X hardware, and the problem can be seen in WebGL implementations from other vendors. Mozilla has implemented a work-around to prevent this from happening with this hardware-driver combination.
Cross-origin data theft using canvas and Windows D2D
the introduction of the "Azure" graphics back-end on Windows in Firefox 7 re-introduced the cross-origin data theft issue reported earlier.
Memory corruption while profiling using Firebug
Miscellaneous memory safety hazards (rv:8.0)
Mozilla developers fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.
In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products.
Potential XSS against sites using Shift-JIS
The Mozilla browser engine mishandled invalid sequences in the Shift-JIS encoding. When encountering an invalid pair Mozilla would turn the entire two-byte sequence into a single unknown character rather than an unknown character followed by a valid single-byte character. On some sites attackers may have been able to end their input with the first byte of a two byte sequence; when that input was later put into a page context it might cause the following delimiter (such as a double-quote) to be consumed, breaking the format of the page. Depending on the page this could potentially be used to steal data or inject script into the page.