Computerworld was unable to locate any public discussion of a CSRF vulnerability in Firefox or an Adobe plug-in, such as Reader or Flash.

Later in its discussions over the release timelines for Firefox 3.5.17 and 3.6.14, Mozilla decided that the CSRF bug "isn't serious enough to build for explicitly," and so would go ahead with plans to release the two updates sans patch.

Mozilla did not immediately reply to a request for confirmation, but from a reading of the company's notes on Firefox 3.5.17 and 3.6.14, the patch for the CRSF vulnerability will not be included in next week's updates.

Some CSRF vulnerabilities can allow attackers to execute remote code against a vulnerable browser; if that's the case with this Firefox flaw and if it is not patched soon, the browser may be vulnerable to attack at Pwn2Own, the that kicks off March 9 at the CanSecWest security conference in Vancouver, British Columbia.

Firefox will be one of four browsers -- the others are Chrome, Microsoft's Internet Explorer and Apple's Safari -- that will be targeted by attackers hoping to walk off with $15,000 or $20,000 in cash.