While new versions of Google Chrome have an XSS Auditor, which refuses to load pages with identified XSS, Googlebot is based on a vulnerable version of chrome – Google Chrome version 41 (2015).
This presumably manipulates PageRank, but I’ve not tested that for fear of impacting real sites rankings.
A simple XSS query is shown below:
However, most sites are clever and will sanitize anything in <script> tags. Not to worry, millions of sites are still vulnerable. For example, Bootstrap 3.3.7 has the following XSS vulnerability:
<button data-toggle=”collapse” data-target=”<img src=x onerror=alert('hello')>”>Test</button>
If one encoded this to a URL-friendly format:
You could substitute it as the following parameter:
Redirecting people to a malicious checkout, or directing visitors to a competing product would be crawled and indexed by Google. This content could even drive featured snippets and appear directly in the search results. Firefox doesn’t yet have adequate XSS protection, so these pages would load for Google users searching with Firefox.
Approximately 18 million websites use Bootstrap. Of these, almost every version is plagued with XSS vulnerabilities of some kind. While some of these XSS vulnerabilities are more severe than others, it is imperative to keep Bootstrap up to date.
Simply put, keep all of your web frameworks (and libraries) up to date.
This issue has been reported to Google by TomAnthonySEO back in November 2018. They have not confirmed the issue from their side or made any headway addressing it.