A flaw was found in w3m 0.5.3-34. When ~/.w3m is unwritable, w3m uses /tmp in an insecure fashion, which allows a local attacker to craft a symlink attack to overwrite arbitrary files.
Created w3m tracking bugs for this issue:
Affects: epel-7 [bug 1539130]
Affects: fedora-all [bug 1539129]
Fixed for all the requested releases.