A posting to the Full Disclosure mailing list claims an unpatched Cross Site Scripting vulnerability in Yahoo!'s mail with example script code. Quoting the author
"i didnt contact yahoo, because i contacted them previously regarding a similar vulnerability, and yes they fixed it "silently" without even sending me a thank you email, frankly i didnt really appreciate that."
Oh and Happy Holidays.
Mailing List Post Link: Yahoo mail Cross Site Scripting vulnerability (Mail Posting)