Similar to CVE-2023-28163, this time when choosing 'Save Link As', suggested filenames containing environment variable names would have resolved those in the context of the current user.
*This bug only affects Firefox on Windows. Other versions of Firefox are unaffected.*
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):