Team members can trigger arbitrary code execution in Slack Desktop Apps via HTML Notifications

A vulnerability in Slack's desktop clients allowed a user within a Slack team to send a malicious link to a teammate which would cause code to be executed on that victim's local computer. The issue hinged on a special type of Slack notification called HTML notifications. We resolved the issue by sanitizing the input to these notifications before rendering and by adding context isolation throughout our Desktop clients. The sanitization portion of this fix is performed on Slack's backend and applies to all Slack users; our Desktop users need not take any action to be protected from this vulnerability.