Chrome, Edge and Opera - System environment variables leak [CVE-2022-0337] (10000 USD)

We discussed this vulnerability as part of our weekly podcast on 22 March 2022

Great bounty for a fairly simple bug, the showSaveFilePickerwould allow JavaScript to provide options including a default filename, which could include `%envrionment% vars on Windows. The JavaScript could then access the name of the saved file in the resulting promise.