IFrame Vulnerability Classification


I was participating in a bug bounty on a website we will call example.com, when I ran into a very strange edge case which I am not sure I should report. The website uses ads and tracking similar to google analytics from a website we can call tracking.com. When visiting the example website there is an iframe to the tracking website. The source of the iframe can be seen below.

<body> <script type="text/javascript">      ((function (e, t)      {            var n = function () {                var e = t.createElement("iframe");                e.src = "https://tracking.com/container/?utm_source=[INJECT];                e.style.cssText = "position: absolute";                t.body.appendChild(e)           }            if (t.readyState === "complete")           {                n()           }           else           {                if (typeof e.addEventListener !== "undefined")                {                     t.addEventListener("DOMContentLoaded", n, false)                }                else                {                     e.attachEvent("onload", n, false)                }           }      })(window, document)); </script> </body> 

The example website also has a parameter called utm_source, into which javascript can be injected into the iframe (where I placed [INJECT] in the code above). For example, visiting https://example.com/?utm_source=";</script><script>alert(document.domain)</script> yields the alert embedded page at tracking.com says tracking.com. The issue is that the tracking website is not in scope of the bug bounty and I am not even sure that the issue is caused by the tracking website. It seems like the example website allows the user to inject arbitrary JS into the iframe of the tracking website. Is this a bug worth reporting or am I missing some easy way of escaping the iframe?

So far I have tried injecting </iframe> and things like e.onload=alert(1)to escape the iframe but have not been successful. Since the example and tracking websites are on different domains I cannot access things in the parent website (example) from the tracking website due to the “X-Frame-Options” header set to “SAMEORIGIN”.

As a beginner this bug has me very confused as to how it should be classified and if it is exploitable in any way. Any tips would be greatly appreciated!