Steam Inventory Helper Chrome extension v1.13.6 suffered from a DOM-based XSS in bookmarks.html combined with clickjacking via over-permissive web_accessible_resources, allowing arbitrary JavaScript execution in the extension's privileged context and hijacking of all authenticated websites. The vulnerability exploits jQuery's unsafe DOM manipulation APIs (html/append) paired with unsafe-eval CSP directive, weaponized through UI redressing to trick users into pasting XSS payloads.
Three XSS vulnerabilities discovered in ProtonMail for iOS: one via SVG onload in applewebdata origin, one via javascript URI requiring click interaction, and one via base64-encoded HTML embed in data origin. While XSSs do not allow email exfiltration, they enable JavaScript execution, privacy violations through tracking, phishing, and UXSS in privileged contexts.