Shopify: XSS on "widgets.shopifyapps.com" via "stripping" attribute and "shop" parameter

Description Shopify allows developers to embed widgets containing product info on third-party websites via "widgets.shopifyapps.com". When the widget is rendered the shop attribute is not filtered allowing any website not just Shopify shops to be specified. By providing an attacker controlled...

Shopify: many xss in widgets.shopifyapps.com

xss does work only for internet explorer browser version =10 or in compatible mode xss in https://widgets.shopifyapps.com/products/...?style=xss&button-bg-color=xss is affected parameters style and button-bg-color maybe to include expression in style of page example of xss for iei have test ie8 ,...