I haven't reproduced this, but it seems low at worst. As presented, it requires the user download a file, then open it, and in the end you get something that just makes the browser unusable.
Bug 1809074 Comment 3 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
I haven't reproduced this, but it seems sec-low at worst. As presented, it requires the user download a file, then open it, and in the end you get something that just makes the browser unusable.