Mozilla security researcher moz_bug_r_a4 reported that
a form input control's type could be changed during the restoration of a
closed tab. An attacker could set an input control's text value to the
path of a local file whose location was known to the attacker. If the tab
was then closed and the victim persuaded to re-open it, upon restoring the
tab the attacker could use this vulnerability to change the input type to
file
. Scripts in the page could then automatically submit
the form and steal the contents of the user's local file.