In matrix-react-sdk
before version 3.15.0 the user content sandbox can be abused to trick users into opening unexpected documents. The content is opened with a blob
origin that cannot access Matrix user data, so messages and secrets are not at risk.
Upgrade to version 3.15.0 or later.