</script>

Vulnerable Code

KURL completeURL = document()->completeURL(url);

The fix

protocolIsJavaScript(completeURL)

Proof Of Concept Using Postmessage Call

Proof Of Concept To Steal Data Across Domains