In Mozilla Firefox versions prior to 126.96.36.199, there exist numerous file stealing vulnerabilities (MFSA 2008-02: Multiple file input focus stealing vulnerabilities). The vulnerabilities are related to the ability to selectively capture user keystrokes. Consequently, each of these vulnerabilities require some form of user interaction. A couple of the techniques allow for arbitrary characters to be filtered on existing input fields. On others, the clever use of styles and keystroke emulation can be used to deceive users. See this post for more about why I think these types of vulnerabilities are important.
NOTE: it is still possible to steal files if a user can be induced into entering the entire path into an input element field. The forth-coming Firefox 3 addresses this issue by removing the text entry portion of the file input element; the graphical file picker is used for all file upload selections.
There have been a number of Bugzilla entries related to file stealing, some of which date back to the year 2000:
For Firefox 2, Bug 413135 - (currently embargoed) finally addresses most of the vulnerabilities related to selectively canceling keystrokes. In conjunction with the other focus fixes, the majority of the most serious holes have been closed.
The following are online demonstrations of the samples that were attached to Bugzilla entries. In some cases, the demos have been updated and consolidated.