Backport fix for CVE-2016-5279: local path disclosure after drag and drop (bug 1249522)
The fix for CVE-2016-5279 got not backported to ESR45, probably as it did not seem critical enough to Mozilla. I think a fix might fit into Tor Browser pretty well, though (thanks to nicoo for pointing to this bug).