Are there any ways in which a local html + js file (without local server) can be harmful?
TL;DR
I am maintaining a scientific visualisation tool for a number of corporations.
Currently, it is basically an Excel sheet without macro. So the possiblities to do cool stuff is somewhat limited. So I am looking at how we could get into some more real programming.
Problem is, these corporations are all super tight on security. So macros in excel are banned for most of them for security reasons.
I was thinking about rewriting it into a local html file instead and do the necessary calculations in js, without opening a local server. Then I should be able to develop all functionality needed, while keeping the application very safe.
Or at least so I think?
This app wouldn't be able to access file system, or send info to 3rd party right?
Is there some other security concern I might be missing?
The short answer is "yes", the long answer is "you are probably fine".
Theoretically a browsers JavaScript Engine should heavily restrict the access of any executed script. With default configurations there should be no way for a script to harm the computer it is executed on.
If you think about it, it is very easy to get somebody to load your website. If that would be enough to harm the machine, we would be in big trouble.
Now in practice there have been vulnerabilities in JavaScript Engines and they have been abused. However this is not something you should need to worry about, nor is it something a corporations will consider.
Edit: A JavaScript can send information to third parties. It just can't read the local filesystem or get more information than any other website can. If you are loading some data, you would theoretically be able to send that data elsewhere.