Generally we need to find endpoint which has cors or css or idor which leaks uid and chain with this. specific to this particular case this app has more static content and less endpoint so i could't find another bug to chain with this. but as per new guideline https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards your bug would be valid.