Something about the writing rubbed me the wrong way; seemed very self-promoting and I was prepared to find out the vulnerability was nonsense.<p>...nope. Ebay literally lets you paste arbitrary JS into your item descriptions (suitably mangled, but that's not a barrier when there are tools to do it for you), which is then actually executed on client devices. It's exactly what it says on the tin; a perfect vector for phishing attacks, malware distribution, etc.
There are a few previous discussions on JSFuck:<p><a href="https://news.ycombinator.com/item?id=3279078" rel="nofollow">https://news.ycombinator.com/item?id=3279078</a><p><a href="https://news.ycombinator.com/item?id=6379732" rel="nofollow">https://news.ycombinator.com/item?id=6379732</a><p><a href="https://news.ycombinator.com/item?id=9479834" rel="nofollow">https://news.ycombinator.com/item?id=9479834</a>