The security hole is introduced with the addition of Tracemonkey, a javascript engine known to speed up javascript rendering in this version of Firefox.
There is no need for you to downgrade to Firefox 3.0. The same website referenced above illustrates the procedure on turning Tracemonkey feature off.
- open a new tab;
- type “about:config” and hit enter;
- read the warning and heed its wisdom;
- enter “jit” in the filter field;
- change the value of “javascript.options.jit.content” to enable (true) or disable (false) TraceMonkey for JavaScript in Web content;
- change the value of “javascript.options.jit.chrome” to enable (true) or disable (false) TraceMonkey for JavaScript in XUL/chrome.
While Mozilla is tackling the issue and trying to address the security hole with a patch/upgrade, it is advisable to plug the hole by disabling Tracemonkey. This thus downgrades the 3.5 to the 3.0 javascript rendering speeds. Believe me with millions (even billions) of websites out there, disabling the Tracemonkey engine is well worth the trade-off for now.
And with the millions of users who have downloaded Firefox 3.5 since its release, imagine the potential targets of malicious javascript code.
It is true, functionality should take precedence over security. But in this case it is prudent to prioritize security given the powerful functionality javascript has and what it can do, most especially when exploited. You can be the next unwilling victim!
With their track record, Mozilla should be able to come up with a fix soon.
