Reflected XSS on help.shopify.com

## Summary: Reflected Cross Site Scripting (XSS) on https://help.shopify.com/en/support/confirm-account-details?returnTo= ## Platform(s) affected: All platforms in other languages, exp: * https://help.shopify.com/es/ ## Steps To Reproduce: 1. Open the URL https://help.shopify.com/en/support/confirm-account-details?returnTo=javascript:alert(document.cookie) 2. Make login 3. Back again to https://help.shopify.com/en/support/confirm-account-details?returnTo=javascript:alert(document.cookie) 4. Click on button "Continue" 5. The JS will execute. Notes: * If the user already logged, just access the url and click on the button that the js will be executed. * Also possible make a "Open redirect" when the user click on the button. EXP: https://help.shopify.com/en/support/confirm-account-details?returnTo=https://evil.com ## Supporting Material: ## Impact The attacker can execute javascript code and redirect targets for others pages.