Rosetta is a new way to create Flash files, which made possible a new kind of vulnerability affecting many websites, including very popular ones.
It’s common for any website to be able to receive some information from other external websites: for example, it’s used by the “Like” buttons (Facebook, Twitter, Google+…) you see often on other external websites. A common method to receive information is to do a request to the target website, and give as a parameter your own function, that will be called back by the target, and will receive JSONP (JavaScript Object Notation with Padding) formatted data. It’s commonly called a JSONP request.
LinkedIn then returns the JSONP-formatted data by calling Malicious() (in the context of the malicious page).
Malicious() can only read the information that LinkedIn sends: it can’t modify information and it can’t control what is sent. This explains why JSONP requests are commonly used, even if it could look an information leak: when implemented correctly, it’s not a security risk in itself, because external websites can’t control the information that is sent. But if a Flash file was passed as a callback parameter instead of a function like Malicious(), it could have more control, because it could be executed by the browser in the context of the target site (and if you’re wondering why, that’s just because that’s how Flash works). To prevent that, JSONP requests only accepts printable characters in callback parameters
._0123456789 abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
Enters the Rosetta Flash vulnerability, known as CVE-2014-4671. 
LinkedIn, eBay, Google, Instagram, Twitter, YouTube, Baidu, Tumblr, Flickr, Yahoo! …
A simple way to prevent this for a website is to prepend a comment (such as /**/) at the start of the callback parameter: this will prevent the callback parameter to be interpreted as Flash, as Flash files are not allowed to start with comment characters, even with Rosetta.