Cyber Legionnaire pointed me to a link on SecuriTeam to an exploit found by Michael Zalewski that allows malicious users to access local files when users click to agree to have popups appear. This may not seem like that bad a problem on the surface (because when would you allow that to happen on a malicious site?) But the problem is that it’s very easy to control a non-malicious site through (yup, you guessed it) XSS.
If I can XSS a page that a user otherwise trusts and change all the links to tell the user that they must allow popups, they will do so, giving you complete access to the user’s drive in Firefox. Apparently Firefox completely bypasses all same origin policy restrictions once the popup blocker is turned off. Pretty nasty.