Thanks to SP1D3RS for the great report and working with the team on this one.
This was a trivial POST-XSS, caused by using
text/html Content-Type on the JSON endpoint, and ability to control the part of the response using unsanitized input.
Why I disclosed it if this is a trivial issue? I pretty often see this behavior on JSON endpoints in other programs. While the wrong Content-Type of the response is not a very big problem itself, it can be the problem, if the endpoint reflects some user-controlled input in the response, and this input is not sanitized properly. If you see same behavior somewhere - it worth closer looking!
<form id="frm" method="POST" action="https://deals.razerzone.com/json/translation"></iframe>
<input type="hidden" name="key" value="<svg onload=alert(document.domain);>">
<input type="submit" value="test">
Thanks to the Razer team, and thanks to the H1 triage team and @coffeecup personally for the quick reopening from Duplicate state and triaging!