A software package a day: NoScript
If I had to decided upon one add-on for Firefox, NoScript would be the one I would recommend. It isn’t that it adds a lot of functionality; it disables a lot of functionality be default. Of course, that is the point.
NoScript turns of JavaScript and many other things that want to activate automatically in your browser and instead allows you to choose which sites you trust and which you don’t. Even if you trust a site, JavaScript, Flash files, Java applets and other active content are sourced from somewhere else are not trusted until you decide to activate them. You can activate such things just once (useful for sites you just need a small amount of content from) or you can add those to your trust list as well.
The process is a bit annoying for the first few days, but as most people visit the same sites repeatedly the software quickly learns your preferences. After a while you stop noticing that it is there as your trusted sites run as expected and strange cross site scripts in advertising or sites you don’t frequent continue to be neutered. This reduces the possibility of an exploit in the browser being exploited as the exploit would have to run on one of your trusted sites, not some random throw away domain (which is the usual situations).
It doesn’t make your bulletproof, but it does help along with sane browsing practices to avoid the most common problems. Recommended.