Security researcher Gregory Fleischer reported
that local resources loaded via the file:
protocol can
access any domain's cookies which have been saved on a user's machine.
Fleischer demonstrated that a local document's domain was being
calculated incorrectly from its URL. If a victim could be persuaded
to download a malicious file and then open that file in their browser,
the malicious file could then steal arbitrary cookies from the
victim's computer. Due to the interaction required for this attack,
the severity of the issue was determined to be moderate.