The plugin has a prototype pollution vulnerability that could allow an attacker to inject arbitrary properties into Object.prototype.
1) Create a pop-up that is set to load on any page
2) Go to `http://example.com/?__proto__[poc]=polluted`
3) Open browser console
4) Type `poc` and see `polluted` as the result.