Mozilla Firefox 3.6a1, 3.5.2, and earlier 2.x and 3.x versions on Linux uses a predictable /tmp pathname for files selected from the Downloads window, which allows local users to replace an arbitrary downloaded file by placing a file in a /tmp location before the download occurs, possibly related to the Archive Manager component. NOTE: some of these details are obtained from third party information.
