It is possible to have JavaScript code in pdf or svg files. I think JavaScript inside svg runs in almost all browsers and I think JavaScript inside pdf generally always runs in chrome.
So during a pentest we have seen that the website allows upload of pdf files with Javascript content, which runs inside the browser (the PDF is opened by the browser e.g. example.com/files/example.pdf
). The uploaded files served from the main domain and not a third party service or CDN. The pdf is later reviewed by an admin of website. The payload will only trigger on google chrome browser. Can we say the website is vulnerable to stored xss in the report? If the payload only runs in chrome, does this affect CVSS score?
Also, what about svg file?