Description: A cross-site scripting issue exists in Help Viewer's handling of help: URLs. Visiting a maliciously crafted website may lead to the execution of JavaScript in the local domain. This may lead to information disclosure or arbitrary code execution. This issue is addressed through improved escaping of URL parameters in HTML content. This issue does not affect systems prior to Mac OS X v10.6. Credit to Clint Ruoho of Laconic Security for reporting this issue.

-- Apple Security Updates

And, again, Apple...

As I noted in 2004, having a single set of bindings for helper applications for radically different security environments is a bad idea.

This entire class of attacks could be avoided.

IO
Lynx-enhanced by <peter at taronga.com> (Peter da Silva) Get Firefox - The Browser Reloaded