DOM-based XSS in Facebook via Instant Games (a newer feature being gradually rolled out). The vulnerability here is in the goURIOnWindow function which is used for supplying the window location and verifying it. What’s strange is this method can take the URI in the form of a string (in which case it will create an internal URI object instance) or objects to provide a direct URI object, which is intended to only be creatable via secure contexts. The problem is, they never actually validate the incoming object is a direct URI object, and so an attacker can pass in something like an array to bypass validation.

This bug is reachable in multiple places, virtually anywhere that uses goURIOnWindow with user-provided input without converting it to a URI object first. The post calls out two modules that could be reached by attackers, useInteractivePluginSDKMessageHandler.react and its openurlasync() method, as well as InstanceGamesOpenExternalLinkDDialog.reacts showgenericdialogasync method. The former is only reachable in a couple of games. The latter is presumably hittable by more games, but it requires an additional click to exploit where it’s dialog-based.

Meta confirmed this issue was hittable from other places on facebook that didn’t require user interaction.