The hacker discovered a chatbot on the Samsung Semiconductor subdomain that allowed simple self-XSS and was able to escalate this to reflected XSS by injecting code into the chatbot input field that was printed to the console, and thus reflected onto the web page.
While this still only gave low impact self XSS, the hacker realised that if a payload was saved as a bookmark, it would automatically execute when the victim visited the Samsung Semiconductor subdomain.
The hacker could then steal the victim’s cookies, but in order to do so, they needed to compromise the victim’s computer to add the malicious bookmark, which is difficult to do and is likely to be detected.
As such, while this hack is interesting, it is of very low practical severity and was deemed out of scope and not actionable by the Samsung Security team.