Hmmm, which browser?
HTML and CSS are rendered onscreen by the browser. So, safari or brave or firefox or chrome are the one executing the code.
Uh... ones that render HTML? They aren’t too keen on providing little niggling details such as what it does, how, on what browsers, etc. that’s why I’m not too worried... I think it’s a vulnerability without much specificity...