Attacking through a malicious HTML file apart from XSS through Javascript

I recently came across a behavior in a web application where the application (through the use of the header ‘Content-Disposition: attachment’) offers to download an HTML file instead of allowing it to get parsed by the browser. Interestingly, the GET requests to the URL that lets you download the HTML page passes the absolute path of the HTML file that will be downloaded – starting all the way from /usr/local....<snip>/public/mypage.html . If an attacker has the privilege to upload an HTML file to this location (public), apart from an XSS attack, what else can he/she do on the machine of a victim who downloads and open the HTML file crafted by the attacker.

I am aware of the XSS attacks , that one can do by injecting some malicious Javascript in the HTML file. Would like to know what else an attacker can get done outside of Javascript XSS attacks.