A serious flaw in FF 2.0.0.1 (and prior) allows malicious sites to manipulate authentication for third party sites has been found up by Michal Zalewski.
But without javascript installed we are secure. Again one hole the NoScript extension has defended us against. The test can be found here: http://lcamtuf.dione.cc/ffhostname.html
This really is a non issue if you are using the NoScript extension and only allow script on trusted sites. I assume the NoScript extension works on the mac version of firefox.