Due to filename of downloading torrent file isn’t sanitized, an attacker is able to execute arbitrary JavaScript on localhost:* by abusing crafted torrent file.
Note: Since it can be embedded with iframe (and it’s possible to brute force port number), Steps after 2 won’t be needed in real attack.
{F565161}
Attacker will be able to store arbitrary JavaScript on localhost:* with service worker, so if victim run any software on same port after attack, any information in the website that on same port can be stolen.