Did you ever think about how to start a program on the client’s computer from within your Web application? Maybe a button that starts Window’s calculator?This is possible now – thanks to serious vulnerability in Firefox.
Do you want to start your calculator? Just click the link below:
Can’t believe that? It’s a Firefox vulnerability, it’s been reported on US-Cert (and other sites). Imagine what else a hacker could put into the link above 
The problem is that Mozilla/FireFox does not filter certain protocol handlers, but just passes them trough to Windows.
Workarounds for users
(quoted from US-Cert)
Using the about:config interface, setting the following options to true will make Firefox display a prompt before sending a URI to an external handler.
network.protocol-handler.warn-external-default
network.protocol-handler.warn-external.mailto
network.protocol-handler.warn-external.news
network.protocol-handler.warn-external.nntp
network.protocol-handler.warn-external.snews
Entries (RSS)