On August 6, 2015 Mozilla released an emergency security update for Firefox 38 ESR and Firefox 39 with the Firefox 38.1.1 ESR and Firefox 39.0.3 releases. These releases were a result of MFSA 2015-78: Same origin violation and local file stealing via PDF reader.
From The Mozilla Security Blog:
The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer. Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files.
The next scheduled releases are Firefox 40 and Firefox 38.2.0 ESR on August 11, 2015.