When saving or opening an email attachment on macOS, Thunderbird did not
set attribute com.apple.quarantine on the received file. If the received
file was an application and the user attempted to open it, then the
application was started immediately without asking the user to confirm.
This vulnerability affects Thunderbird < 102.3.