Yeah, this is not a bug. This happens because the security token is only valid for the current session. If you recover a firefox session, it's likely that the vBulletin session has in fact ended, so a new security token will be generated on the server side. Since your site allows the browser to cache its pages, it's possible that the previously loaded page with the old security token was used, causing a mismatch.