The following is some of the web browser research and vulnerability demonstrations that I've put together.
Firefox - File Stealing: a collection of demonstrations of selectively capturing keystrokes in order to steal user files with Firefox 2.0.0.11 and prior.
Internet Explorer 6 - File Stealing: a collection of demonstrations of selectively capturing keystrokes in order to steal user files with Internet Explorer 6.
Java Leakage - Firefox Tests: contains tests to examine how the Sun Java Runtime Environment can be used to help determine a user's Internet location by creating socket connections.
Firefox Referer Spoofing: versions of Mozilla Firefox prior to 2.0.0.10 were vulnerable to referer spoofing by abusing a window.location race condition.
Corrupted Jars: A demonstration of how the Sun JRE will load applets from corrupted JAR files. In this example, the corrupted content makes the file appear to be an image.
Form Data Encoding Roundup: An examination of how different browsers submit form data based on enctype values.
Firefox Focus Bug - File Stealing: A demonstration of stealing files using a Firefox vulnerability on the label element.
ScanFun: Intranet scanning with LiveConnect and a Firefox vulnerability.