In Mozilla Foundation Security Advisory 2007-28, the company acknowledged
"When the default browser is Firefox 184.108.40.206 or earlier, use of the -chrome option allowed a remote attacker to run script commands with the full privileges of the user," Mozilla said in its advisory. "This could be used to install malware, steal local data, or otherwise corrupt the victim's computer."
To protect Firefox users from the attack vector, Mozilla said it eliminated the ability to run arbitrary script from the command line. Other command-line options remain, however, and QuickTime media-link files could still be used to annoy users with popup windows and dialogs until the issue is fixed in QuickTime, Mozilla added.
Firefox users will automatically be prompted to upgrade to version 220.127.116.11, which includes the fix.