A remote attacker can bypass the same-origin policy or the content security policy, spoof the content of the addressbar, trick a user into a self-XSS attack, access sensitive information or execute arbitrary code on the affected host. A local attacker might be able to escalate privilege.