Cross site scripting and click jacking are major concerns. Many issues can be resolved by setting some headers in the HTTP responses for the user interface and rest responses for both the master and slave processes.

X-Frame-Options: Can be set to deny, sameorigin, or allow-from
X-XSS-Protection: 1; mode=block

These would go a long way to making sites using exhibitor more secure. Note that the user exploiting attacks does not need to have access to the exhibitor hosts, they are attacked through a user's web browser. So if the user can connect to both exhibitor and the internet, it is an issue.