I happened to notice another problem, the file loader.html has an obvious XSS if the window is 10px wide. I know that's an odd condition, but an attacker can easily force that with something like

<iframe width="26px" scrolling="no" src="http://localhost:37848/LocalHelp/loader?javascript:alert(1)">

The code is like this:

	var st = getStyle("a", "width");
	
	if (st == "10px") {
		var queryString = window.location.search;
		if (queryString.length > 0 && queryString.charAt(0) == "?") {
			var url = queryString.substr(1);
		}
		window.location.href = url;
        }

I honestly have no idea what the author intended, but this bug can be used with the path traversal to access arbitrary local files, or even authenticated remote files by forcing them to be downloaded (<a href=foo download>.click())

Update from TM:

I hope you have been well.
 
We wanted to let you know that we have released a new build of Trend Micro Security to address the issues you have raised to us.  It has been uploaded to our ActiveUpdate servers, and most customers should be receiving the update within the couple of days.
 
A Security Bulletin has been issued at: https://esupport.trendmicro.com/en-us/home/pages/technical-support/1114095.aspx for your reference.
 
On behalf of the Trend Micro team, we wanted to thank you again for working with us to address and responsibly disclose these issues for our customers.
 
If you have any questions or concerns, please let us know.