*.myshopify.com is vulnerable to a reflective cross-site scripting attack in the newsletter form. This can be crafted to trigger on a page load without any further user interaction.
The following example url shows this vulnerability:
This was tested on a newly registered store "testbuguser.myshopify.com"
If you require any additional details, please do not hesitate to bump.
This attack could be leveraged to compromise administrative sessions or perform actions on behalf of users with the same level of privilege as the user.