Backport fix for CVE-2016-5279: local path disclosure after drag and drop (bug 1249522)
The fix for CVE-2016-5279 got not backported to ESR45, probably as it did not seem critical enough to Mozilla. I think a fix might fit into Tor Browser pretty well, though (thanks to nicoo for pointing to this bug).
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information