Content spoofing and potential Cross-Site Scripting vulnerability on www.hackerone.com

**Summary:** Hackerone.com using following script file https://js.driftt.com/include/1530431100000/hp9revvwkk62.js you can see the below script on page this.handleMessage=function(e){if(e&&e.data){var t=document.getElementById(Si);if(t&&(e.source===t.contentWindow||e.source===window.opener)){ handleMessage method used for handle the cross domain windows messaging here missing validation of origin and the condition e.source===window.opener always true So attacker can handle all the events in that page ### Steps To Reproduce Pocurl: https://othertest45.azurewebsites.net/ddd.html Load the PoC url and enable popup always click the button on page it will trigger events and you can see modification on page XSS may be blocked due to recent content security policy but url("blocked:alert(1);") is valid payload To fix the issue remove the condition e.source===window.opener or validate the origin ## Impact Attacker can perform all the events and action given on that javascript page. and display vulnerable content or message it will damage the reputation of hackerone