The Location object is supported by all major browsers and contains information about the URL being requested. The vulnerabilities were closed in Firefox 16.0.2, Firefox ESR 10.0.10, Thunderbird ESR.0.10 and SeaMonkey 2.13.2.2. Mozilla introduced a new security feature to the browswer that by default blocks known vulnerable plug-ins from running. The browser was exposing URL information across Web domains, a vulnerability that could allow a malicious website to determine where a user had surfed and potentially leak URL information.
Source: https://threatpost.com/mozilla-patches-cross-site-scripting-flaws-firefox-102912/77161/