Microsoft Internet Explorer v6.SP1 and below has a vulnerable download function that can be exploited by a malicious attacker to gain access to a user's cache directory. Link to two demonstrations included.
dcaee30b8ef3a1cceeae51d751d897cc6278c21e1025eac9cf682ea1ae4fd7ab