prompt(‘XSS by Osanda Malith’);
Once you open the attachment the code gets interpreted.
However due to the same origin policy this bug can’t do much damage. If you do a
alert(window.sessionStorage.protonmail_pw) it would result “undefined”.