The application's client-side JavaScript processes user-supplied input in an unsafe way, writing it to the DOM without proper sanitization, enabling script injection entirely within the browser.
An attacker could steal session tokens, capture keystrokes, redirect users to malicious sites, or perform actions on behalf of the victim user through crafted URLs or page interactions.
Avoid using dangerous DOM manipulation methods such as innerHTML, document.write, and eval with user-controlled data. Use textContent or safe DOM APIs. Implement Content Security Policy headers to mitigate exploitation.