XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 because a server's suggestedfilename is used as the pdfname value in PDF.js.
{ "binaries": [ { "binary_name": "epiphany-browser", "binary_version": "3.36.4-0ubuntu2" }, { "binary_name": "epiphany-browser-data", "binary_version": "3.36.4-0ubuntu2" }, { "binary_name": "epiphany-browser-dbgsym", "binary_version": "3.36.4-0ubuntu2" } ], "availability": "No subscription required" }