@youssef240697 found a DOM XSS vulnerability in the JavaScript code that handled the deobfuscation of user email addresses rendered on GitHub.com. This bug wasn’t apparent unless the MutationObserver was triggered twice, resulting from the user going back in the browser’s history.

While exploitation of this vulnerability was prevented by our use of CSP, we still took the threat seriously. We fixed the bug by simplifying our email obfuscation scheme so as to not require JavaScript.