The Autofill Assistant has a chain of issues that could be abused for universal XSS in the context of an arbitrary website.

The first challenge is that the Autofill Assistant intent should only be launched from trusted, Google controlled sources. The problem is that the isGoogleReferrer check only actually checks if the main frame of the tab navigating to the Autofill Assitant intent hosts a google.com (including subdomains) page. This could be bypassed in JavaScript by opening another page to https://google.com and then using the handle to that page to navigate it to the intent URI. This could also be bypassed using HTTP redirects and placing a link to an attacker controlled location that responds with an HTTP redirect to the intent on some Google page.

Once able to launch the intent, there are a number of potentially interesting parameters.TRIGGER_SCRIPTS_BASE64 is of use here. Trigger scripts are not javascript, but are eventually interpreted into JavaScript that is injected into a page. The idea is to have a lightweight language that can define when an intent should be launched, this parameter can be used to overwrite the trigger script for any web page.

As hinted at earlier, the trigger conditions are translated into JavaScript code which is executed in the context of the target web page. While most situations the builder would properly encode all the inputs, except for PropertyFilter which would have the proper name simply concatenated without encoding. Allowing for a trigger script with a trigger condition filter matching on a malicious property name to result in injecting arbitrary javascript into any website.