Here is the list from palemoon.org
- (CVE-2013-1692) Fix for the inclusion of body data in an XMLHttpRequest HEAD request, making cross-site request forgery (CSRF) attacks via a crafted web site more difficult.
- (CVE-2013-1697) Fix to restrict use of DefaultValue for method calls, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges.
- (CVE-2013-1694) Fix to properly handle the lack of a wrapper, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code.
- Fix to prevent arbitrary code execution from the profiler developer tool.
- Fix for a crash when rapidly reloading pages.
- Fix for cross-document selections.
- Fixes for several crashes in JavaScript.
- Fixes for several memory safety hazards and uncommon memory leaks.
