Since these functions can be used in the same way as eval() to run code from a string,

An example of usage to "run code from a string" is:

setTimeout("alert('foobar')", 1000);

It is recommended and secure that the first argument of window.setTimeout() is a function, not a string. You can use following sample code:

setTimeout(function(){alert('foobar');}, 1000);

On Mozilla add-on site AMO's security test, window.setTimeout() is always flagged as insecure, regardless type of the first argument.

So, for JavaScript codes on Firefox(and/or other Mozilla) extensions, window.setTimeout() shall be replaced with nsITimer as follows:

var timer = Components.classes[";1"].createInstance(Components.interfaces.nsITimer);
 }}, 1000, Components.interfaces.nsITimer.TYPE_ONE_SHOT);