The code mentions the Skype for Business 2016 client, but the base vulnerability affects also the Lync/Skype4b 2015 client:
- Risk: severe – exposes the user data
- Exploit codes available here or here
No user-interaction is required for the XSS to execute on the target machine. It will run regardless of whether or not they accept the message. The target only needs to be online.