Stored XSS through PDF viewer

Slack allows users to upload files to their Workspace to facilitate sharing information between team members as well as with other workspaces. In addition, with the aim of easing access to PDF files, Slack provides its own "PDF Viewer" (https://app.slack.com/pdf-viewer) embedded in the application which renders the PDF contents without requiring the user to download the file to their local computer. Typically, files shared in this way containing special characters will be HTML encoded, so that their contents will not be rendered as HTML or executed as JavaScript code in the browser. Due to a dependency vulnerable to Cross-Site Scripting, if an attacker shared a malicious PDF file via the Upload file option, the Slack "PDF viewer" could have exposed user data. The issue was resolved by patching a vulnerable dependency in the PDF viewer. Slack undertook a thorough analysis and concluded that no customer was impacted by this vulnerability.