Javascript code execution, heap memory corruption with styles, memory corruption with QueryInterface, code execution with XULDocument.persist(), multiple integer overflows, information leak from nsExpatDriver::ParseBuffer().
Silen trojan code installation is potentially possible.