It's not clear that this capability has any use other than as a practical joke, since it says someone can store all kinds of junk on your computer but doesn't say it can be retrieved by the one who put it there. More information will be necessary to look at whether it would be useful to malware distributors, and there's little reason why they would want to retrieve their own stuff. They're more interested in your stuff.

One of the linked sites could, of course, download malware to take over your computer, but dumping a lot of junk would make it much more obvious that you'd been invaded, and any sensible person would immediately clean up. Most malware distributors don't want you to know they've been there.

The bug appears to only allow each individual file downloaded to be the size of the intended allowed limit for a single site, and anyone wanting to steal "mass storage space" wouldn't be too interested, I'd think.

As noted, it apparently is possible to write browser code to block the effect (within the up front limit intended for the browser) it's unlikely that browser makers would be likely to have worried about it, given the high percentage in crap code in most of them.

An additional problem is that in fact THERE IS NO HTML5 STANDARD, and won't be until at least sometime next year (they hope). This allows browser and website builders to add any hallucination they may have had last night, without confirmation that it "complies" to anything.

HTL5 has (sort of) been in design for several years. Some progress has apparently been made, but the cake ain't quite done.

John