Web applications relying on JavaScript often need to perform cross-origin communication between `Window` objects such as a page and an embedded iframe or a popup window. The postMessage API allows developers to circumvent the same-origin policy restrictions in order to exchange data between scripts located on different origins.
Depending on the application needs, messages event listeners could be added to use received messages in part of its logic. However, if the data received in these messages are used, for example, to build the page DOM, an attacker could leverage this issue to inject malicious data and conduct client-side attacks like Cross-Site Scripting (XSS) or Prototype Pollution.Read More