Reflected file download is a new web attack vector that enables attackers to initiate a fake download from a trusted domain. The file to be downloaded doesn't exist on the target domain, it is dynamically generated by exploiting this vulnerability. Consult web references for more information about this vulnerability.
To fix this issue the web application must return a Content-Disposition header with a filename attribute. Setting the filename attribute fixes the name of the downloaded file and the browser doesn't have to guess it. For example:
Content-Disposition: attachment; filename=1.txt