There's a security problem with HTML mail that affects IBM Notes 8.0.x, 8.5.x, 9.0: IBM Notes accepts Java applet and JavaScript tags inside HTML emails

For this vulnerability IBM has published IFs for Notes 9.0 and 8.5.3 FP4  releases. Right now only available for Windows and Mac. The Linux release will appear in 8.5.4 and 9.0.1, but if you need it, open a PMR with IBM.

For previous releases you can disable Javascript and Java applets either from the Notes Basic Preferences or by including in notes.ini
  EnableJavaApplets = 0
  EnableLiveConnect = 0
  EnableJavaScript = 0

More info and download links:

• Interim Fix 1 for IBM Notes 8.5.3 Fix Pack 4 (8.5.3.4)
• Interim Fix 1 for IBM Notes & Domino 9.0 (9.0.0.0)