A prominent security researcher has disclosed serious, unpatched flaws in the way fully up-to-date Firefox and Internet Explorer browsers handle JavaScript.

The disclosures come shortly after the Mozilla Foundation patched critical JavaScript-related vulnerabilities in Firefox. Mozilla said it is working on the new problems, but classified them as lower-risk.

The first bug, affecting fully patched IE 6 and 7, could allow JavaScript from an unsafe site to carry out actions related to a seemingly safe third-party site, researcher Michal Zalewski said in a bulletin on the Full Disclosure mailing list.

He said that when JavaScript code from a potentially unsafe site instructs the browser to navigate to an unrelated third-party site, there is a window of opportunity for JavaScript to perform actions such as reading or setting cookies, hijacking pages, injecting code, corrupting memory or crashing the browser.

Zalewski classified the bug as "critical." Microsoft said it is aware of the report and is investigating.

The second bug, affecting Firefox, could allow an attacker to inject JavaScript into pages using IFRAMEs, a common method of displaying content. This could allow malicious code such as key-loggers to be implanted on the page, or could allow spoofing, Zalewski said.

The bug has been submitted to Mozilla as bug 382686, and is similar to Mozilla bug 381300 but is more serious, the researcher said.

He said the bug was "major," but Mozilla's security chief, Windows Snyder, said the bug was not highly serious, giving it a security rating of "low."

Zalewski also reported two less serious problems, one potentially allowing an attacker to download programs onto a user's computer, and the other allowing spoofing of URL data in IE 6.

Mozilla's Snyder noted that the second Firefox bug would require an additional vulnerability to have any effect on users.

Last week Mozilla said it had patched several serious security flaws in Firefox, bugs that also affect the SeaMonkey browser and the Thunderbird email application. The bugs could allow an attacker to take over a system, as well as less serious exploits such as spoofing or security bypass, Mozilla said.

While browser bug patches, even for critical flaws, have become somewhat routine, the latest alert highlighted the fact that Firefox no longer has as clear an advantage over Microsoft's Internet Explorer as it once did.