My concern with Mozilla is the ability of almost any javascript hacker to replace some of the chrome files
Replace chrome files how? Do you know of a way for an attacker to do this remotely? If so, please let me know, as we consider that very serious. If you're talking about an attacker sitting at the victim's keyboard, there's nothing we can do about that.
Unlike modifying C++ components (operating system or otherwise) , javascript hacking requires VERY little experise to capture passwords etc.
Again, that assumes the attacker has a way of replacing those files. If they have a way of replacing files, they could replace chrome or native components, or the whole OS for that matter.
-Mitch
