The client software downloaded a list of servers from mozilla’s servers and created local files named
after the hostname field in the json document.
No verification of the content of the string was made, and it could therefore have included ‘../’ leading to path traversal.
This allows an attacker in controll of mozilla’s servers to overwrite/create local files named .conf.
The flaw was corrected by sanitizing the hostname field.