A DOM XSS vulnerability in Adobe's PDF ActiveX plugin (res://apds.dll/redirect.html) can be exploited via IE by using the xfa.host.gotoURL() function to bypass same-origin policy restrictions and execute arbitrary JavaScript without security warnings. The vulnerability chains a parameter injection flaw with Adobe's insecure URL redirect handling to achieve cross-domain XSS.
A CSP bypass vulnerability in Microsoft Edge (CVE-2017-0135) where attackers could abuse the XSS filter's default mode to disable meta-tag-based CSP policies by appending malicious meta elements as URL parameters, causing the filter to neuterase the legitimate CSP declaration and allow script execution.
A Medium-severity XSS vulnerability in an article embedding feature that exploits the Referer header value being reflected in the response body without proper sanitization. The attack succeeds only in Internet Explorer due to its lack of URL encoding in the Referer header, allowing script injection via a malicious referrer URL.
A reflected XSS vulnerability discovered in eBay's search parameter (LH_SpecificSeller) that bypassed character filters (<, >, comma) by leveraging CSS expression payloads in Internet Explorer. The exploit worked despite the vulnerable code being inside a display:none span by using style="xss:expression()" to execute arbitrary JavaScript.