Penetration test indicates that QlikView is potentially vulnerable to ClickJacking attack.
Clickjacking is also referred to as User Interface redress attack, UI redress attack or UI redressing. This is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. For more details: https://en.wikipedia.org/wiki/Clickjacking
This type of attack is prevented by adding a X-Frame-Options HTTP response header from web server. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
X-Frame-Options HTTP response header is currently not supported by QlikView Web Server. The X-Frame-Options HTTP response header can only be enabled for QlikView content by using IIS as the web server.
Please see Microsoft knowledge base (KB2694329) on Mitigating framesniffing with the X-Frame-Options header
for more details on how to apply X-Frame-Options HTTP response header in IIS.