The Mozilla security blog confirms an exploit against an unpatched vulnerability Firefox 3.5 exists and has been made public.

Do note that Heisse tried to confirm the vulnerability and only managed a crash on Vista and can't seem to make it work on Windows 7 RC1
http://www.h-online.com/security/First-Zero-Day-Exploit-for-Firefox-3-5--/news/113761

The mozilla blog above has a workaround by temporary disabling the javascript.options.jit.content setting in about:config

Alternatively one could install and use NoSCript to disable all javascript by default.