JavaScript's BrowserFeedWriter() and other exceptions leak installation paths on OS X and Windows
In #5922 (closed) it was claimed that the vulnerability uncovered at Defcon 17 by Gregory Fleischer (http://pseudo-flaw.net/tor/torbutton/browserfeedwriter-error.html) doesn't affect TBB on OS X. I have just replicated this bug on 2.3.25-10.
When the TBB is installed in a user's homedir, calling (new BrowserFeedWriter()).close() will leak their username in a JS exception.