For almost all tel: uris it will place the number in the dialer and the user would need to press call button to initiate the call or action. The USSD code in some cases will auto run. Using the two main phones I have the Samsung dialer on a Note 9 will not accept USSD codes from other applications. On my Pixel 2 XL the code auto runs using the Google dialer. My rating would be more in the sec-low range, as Google rated it in [1180510](https://bugs.chromium.org/p/chromium/issues/detail?id=1180510) It could be used in an annoying DoS. The data can't be exfiltrated without coercing the user to manually screenshot or painstakingly manually copy the numbers. You might be able to use it to lend credibility to a support scam.
Bug 1728742 Comment 11 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
For almost all tel: uris it will place the number in the dialer and the user would need to press call button to initiate the call or action. The USSD code in some cases will auto run. Using the two main phones I have the Samsung dialer on a Note 9 will not accept USSD codes from other applications. On my Pixel 2 XL the code auto runs using the Google dialer. My rating would be more in the [sec-low](https://wiki.mozilla.org/Security_Severity_Ratings/Client) range, as Google rated it in [1180510](https://bugs.chromium.org/p/chromium/issues/detail?id=1180510) It could be used in an annoying DoS. The data can't be exfiltrated without coercing the user to manually screenshot or painstakingly manually copy the numbers. You might be able to use it to lend credibility to a support scam.