Firebug 1.2+ in Firefox 3 provides no known path for malicious attack by rogue web sites.
Recently Wladimir Palant wrote a nice long post on Displaying web content in an extension – without security issues. In the lead paragraph describing security vulnerabilities he points to a really old posting about an old version of Firebug:
pdp discovered a similar issue in the Firebug extension that uses an HTML-based templating system and forgot to sanitize some input received from the webpage.
If you read through these ancient scrolls you will find Joe Hewitt’s post about the fix. But that fix was way back before version 1.0.5 was out, so none of that old stuff matters today.
While working on Firebug 1.2 we analyzed Firebug for security issues. As a result we reimplemented the Firebug console and command line and Blake Kaplan added new features in Firefox 3 to complete the process.
Firebug works with web pages in so many ways that we have to consider security issues all of the time. We do take security seriously and we won’t release any version that has known holes.