Rajesh Sethumadhavan just published a number of XSS and other vulnerabilities in Yahoo. Unfortunately, none of these are useful to launch other attacks against Yahoo’s Ajax infrastruture the way they are built. The ones that use yimg (click here for an example in IE and then click on the banner once it loads). The problem is that yimg is not on the same domain as yahoo.com.
For AJAX to work (at least these particular attacks that I have in mind) the domain has to be the same, so finding an XSS in yahoo.com proper is far more useful to launch these types of attacks. The ones against Yahoo mail don’t seem to be remotely exploitable from what I can tell (like the yimg one above) but those would be ideal. But regardless, Rajesh did a great job finding them!