Seems lunacy, for firefox to drop JAVA (when many may not have it anyway) when essentially the vulnerability is in the SSL/TLS version used by the browser for secure communication. The vulnerable versions being SSL V3.0 and TLS 1.0. Surely they should be working towards firefox using TLS 1.1 and 1.2 of TLS that aren't susceptible.
I also thought it was a specially crafted javascript and not JAVA that did the decryption, which is immaterial if version 1.1 and 1.2 of TLS aren't susceptible, gear firefox up to use those versions.