Mozilla Firefox prior to 48.0 allows remote malicious users to spoof the location bar via crafted characters in the media type of a data: URL.
mozilla firefox