The app trusts window.CONFIG.url as its configuration. But named DOM elements (id/name) leak onto window, so injected markup with id="CONFIG" silently overrides that global — no JavaScript execution required.
Trigger: inject <a id=CONFIG><a id=CONFIG name=url href=//evil> — window.CONFIG.url becomes attacker-controlled.
Detected by: browser_cdp_dom_clobbering_detect