Didn't the desktop apps use to bundle an embedded flash player before? I can't remember but it wouldn't have surprised me if they did.
Wonder what kind of html5/js engine they use for ads these days. (not that it matters, they are all swiss cheese security-wise, especially so if they aren't tracking upstream daily. If you think the sandbox is foolproof, well, just have a look at chromeos - time since last webpage-to-persistent-root exploit is currently about: 6 days https://googlechromereleases.blogspot.no/2016/09/stable-chan... )