Cross-Site Scripting (XSS) vulnerability in storefront js

[alexbaat]

We use this plugin on multiple shops and in our security scans a vulnerabillity came up.
Within the file src/Resources/app/storefront/src/main.js there are these lines:

        const gtmPush = request.getResponseHeader('gtm-push');

        if (gtmPush && window.dataLayer) {
            window.dataLayer.push(JSON.parse(gtmPush));

            if (window.gaRegisterClickTracking) {
                window.gaRegisterClickTracking();
            }
        }

If I manually add a cookie '_gtm_push' in my browser with a random value, and reload the page, this value is reflected within the source code, for instance the result is

<script type="text/javascript">
  window.dataLayer.push(MyRandomValue);
</script>

So this script is vulnerable for cross-site scripting.
I would like to fix this but I first want to understand why these lines are in the code because I don't know why you should fetch this value.

[wbm-sbasler]

The loadened event will be fired when switching between product pages in the listing. When you reload the page, the variable in meta.html.twig will be filled in StorefrontRenderSubscriber.php. That would most likely the place where you can fix this issue.

[wbm-sbasler]

@alexbaat i could not really reproduce this, maybe i missed something.
Can you please tell me the steps to reproduce, with all necessary requirements.