When you say that JS and HTML are hosted on GitHub, I assume you mean that the code is hosted there only for download and that your interactive story does not reach GitHub at runtime to retrieve actives. If this were the case, this external connection to GitHub could potentially be used for malicious actions. If someone can access the code hosted on GitHub, they can change it to perform whatever they want on the clients. It is not necessarily an injection, but it is worth drawing attention to.
However, it looks like your application is not getting the GitHub code at runtime. If this app really only uses local resources on the machine (no data recovery from elsewhere, no external links, etc.), your app should be safe from it ; an external attacker. You should always be wary of viewing any user content, as this could potentially open the door to injection attacks if it is not properly filtered, but in this case, it appears that customers have no way of contacting other clients or uploading to a server. So, realistically, if a user could inject code into their client, the only person they could affect was themselves.
Another thing to know: if you build a framework in which users can create stories to distribute (for example by allowing other people to play a story that I create), it is also a vector d & # 39; attack. Indeed, the history files are created by arbitrary users (like me) and are then interpreted by the client web application of the users who import them (Alice / Bob).