In affected versions of hellojs
(hello.js) there is a cross-site scripting bug. The code get the param oauth_redirect from url and pass it to location.assign without any check and sanitisation. It is possible to simply pass some XSS payloads into the url param oauth_redirect, such as javascript:alert(1)
.
Update to fixed version 1.18.6 or later