Shopify: XSS on "widgets.shopifyapps.com" via "stripping" attribute and "shop" parameter

Description Shopify allows developers to embed widgets containing product info on third-party websites via "widgets.shopifyapps.com". When the widget is rendered the shop attribute is not filtered allowing any website not just Shopify shops to be specified. By providing an attacker controlled...