|Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey
before 2.0.11, does not properly handle certain redirections involving
data: URLs and Java LiveConnect scripts, which allows remote attackers
to start processes, read arbitrary local files, and establish network
connections via vectors involving a refresh value in the http-equiv
attribute of a META element, which causes the wrong security principal
to be used.