CVE 2016-5253
The Updater in Mozilla Firefox before 48.0 on Windows allows local users to write to arbitrary files via vectors involving the callback application-path parameter and a hard link.
See the 
CVE page on Mitre.org
for more details.
