This bug could allow a malicious actor to takeover Facebook (and Meta) accounts after tricking the user to play an Instant Game. This bug happens since the
goURIOnWindowModule which is widely used in Meta platforms fails to verify the scheme of the supplied URL which means we can supply a javascript URI scheme and achieve DOM-XSS. DOM-XSS in Instant Games due to improper verification of supplied URLs
so.cl
Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer