Since these functions can be used in the same way as eval() to run code from a string,

An example of usage to "run code from a string" is: 

setTimeout("alert('foobar')", 1000);

It is recommended and secure that the first argument of window.setTimeout() is a function, not a string. You can use following sample code: 

setTimeout(function(){alert('foobar');}, 1000);

On Mozilla add-on site AMO's security test, window.setTimeout() is always flagged as insecure, regardless type of the first argument.

So, for JavaScript codes on Firefox(and/or other Mozilla) extensions, window.setTimeout() shall be replaced with nsITimer as follows: 

var timer = Components.classes["@mozilla.org/timer;1"].createInstance(Components.interfaces.nsITimer);
 timer.initWithCallback({function(){
   alert('foobar');
 }}, 1000, Components.interfaces.nsITimer.TYPE_ONE_SHOT);