DOM XSS — Polaris Navigation postMessage Origin Bypass

Target: polaris.xfinity.com/polaris.js (v2026.04.0) loaded by www.xfinity.com/hub
Root cause: Unanchored origin regex — substring match allows polaris.xfinity.com.<attacker> to pass
Attacker origin required: Must be served from polaris.xfinity.com.<attacker-domain>

Path 1 — Toast innerHTML (auto-fires, no interaction after popup)

Opens my.xfinity.com in a popup, waits 6s for Polaris to init, then sends the payload every second.

Path 2 — setAttribute onmouseover (hover trigger)

Same popup, then sets onmouseover attribute on the header element. XSS fires on hover.

-- log --