In the createIE function inside [dhtmlHistory.js|https://stash.atlassian.com/projects/JIRA/repos/jira/browse/jira-components/jira-webapp/src/main/webapp/includes/lib/dhtmlhistory/dhtmlHistory.js#333] the value of the fragment identifier, is concatenated to create the html of an iframe without first being html escaped or url encoded. This results in a DOM XSS which is exploitable in internet explorer.
Steps to reproduce: 1. Create a project named 'testproject' that has a key of 'TESTP' 2. In Internet Explorer Go to https://$jiradomain/$contextpath/browse/TESTP#src="/></iframe><script>alert(3);</script> 3. If an alert prompt containing the number 3 does not appear try refreshing the page. 4. Observe an alert prompt containing the number 3 is shown.