Mrswitch

**Name of the Vulnerable Software and Affected Versions** hellojs versions prior to 1.18.6 hello.js versions prior to 1.18.6 **Description** The issue arises from the package getting the `oauth redirect` parameter from the URL and passing it to `location.assign` without proper checks and sanitization. This allows for the injection of XSS payloads into the `oauth redirect` URL parameter, such as `javascript:alert(1)`. **Recommendations** For versions prior to 1.18.6, update to version 1.18.6 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `oauth redirect` parameter in the affected URL until a patch is available.