A Firefox security flaw originally judged to be of low severity has been upgraded to high, but Firefox 220.127.116.11 "which will be available shortly," according to the Mozilla Security Blog, will include a fix for the problem.
The vulnerability, known formally as the "chrome protocol directory transversal," concerns the so-called 'flat' add-ons that store their components in multiple files instead of using a single .jar file. A flaw in the way the program handles the chrome protocol could allow an attacker to retrieve data from a compromised system.
The vulnerability is not within the browser, according to Mozilla's chief of security Window Snyder, but in how the extensions are written. You can check out a list of affected extensions at Mozilla's website while you wait for the next Firefox update.