Hello moneymaker0886,
I have discussed this with one of our security experts that focuses on browsers and we ended up in agreement that the download itself is not dangerous. Executing the malicious code is.
So therefore pre-downloading the data before you click save is not security vulnerability and also it is the reason why other major browsers (Chrome, Firefox) behaves the same and why most of the browsers are by default set to not ask where to download the file and automatically download it to Downloads folder. Downloading does not mean installing/executing.
And you were not right about Chrome pre-downloading only trusted files. I just checked with our malware samples that are on internal network (private ip range) and Chrome pre-downloaded them without worry.
However, we are not saying we can’t be wrong. If you know about any existing exploit or you have some proper research about how this attack would work from technical point of view (like what exact steps would need the attacker achieve to infect the machine) then please properly describe the vulnerability and contact us via our bug bounty program
https://www.avast.com/bug-bounty. As this would be massive security flaw, that would basically be affecting every online user, the reward from the bug bounty program would be for sure financially really rewarding. Please read the programs instruction first, before submitting your report.
To your question about Avast team staff. You can identify us on forum by "Avast team" info under the profile icon. "Avast Überevangelist" are recognized community users that have deep knowledge about our products.
