Is it possible to attack our website via the Web Widget (e.g. denial of service, buffer overflow due to manipulated data in connection with remote code execution)?
The chat widget runs in an iframe. This is a separate browser session ("sandboxed environment") completely disconnected and separated from the main customer page. Security between the iframe and main document is enforced by the browser.