Comment 2 for bug 1492121

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

I've switched this report from private security to public security because it was prematurely disclosed (a proposed fix explicitly mentioning the bug was pushed to public code review rather than uploaded as a bug attachment).