I seen a similar problem in another context where a browser engine is used to render some simple HTML in an app for convenience, but then suddenly turns into something exploitable because nobody is thinking about updating the engine when a bug is found in an esoteric (for the app) feature.

Embedded web engines should probably have a minimalistic safe mode.