Of course, another way would be smashing an internal Netscape stack to insert
a filename into that readonly field.
But there is another possible loophole - it has always been possible to access
random javascript elements from a document in another frame or window. This
works with any Javascript containing document, whether local or on a server,
as long as the objects aren't tainted, and it is commonly used to feed dynamic
data into Javascript documents.
However it is hardly exploitable - nobody will use Javascript objects to store data
on his disks, and the plain text body of a document is no readable property of
document. But any bug which exposes the document text - like a accessible
internal property of the navigator parser - would make any file vulnerable.
Sevo