Attack overview:
This page is hosted on , a domain that was unregistered
but listed in the Qualified widget's config.domains allowlist.
An attacker registered this domain for ~$10 to gain a trusted postMessage origin.
It opens a page with the Qualified widget in a popup, then sends a cross-origin
postMessage that triggers parsePardotForm, which writes
attacker-controlled HTML into innerHTML without sanitization.
Target:form-test-site-6a2344.webflow.io (Qualified test site with widget token NNKOBMxLzpLiFU4f)