A message listener writes event.data straight into the page via innerHTML and never checks event.origin or event.source — so any page that can get a handle to this window can inject markup.
Trigger: win.postMessage('<img src=x onerror=alert(1)>', '*') from any frame/opener.
Detected by: browser_cdp_postmessage_hijack