Chrome, Edge and Opera - System environment variables leak [CVE-2022-0337] ($10000 USD)

We discussed this vulnerability during Episode 129 on 21 March 2022

Great bounty for a fairly simple bug, the showSaveFilePickerwould allow JavaScript to provide options including a default filename, which could include `%envrionment% vars on Windows. The JavaScript could then access the name of the saved file in the resulting promise.