This looks suspicious but not obviously a working XSS payload. Quick analysis:
What NoScript flagged: URL includes parameters with embedded JavaScript-like values: "copy=function(){...}", "keys=function(){...}". That suggests the site (vulnona.com) is supplying JavaScript source in query parameters passed to google.com reCAPTCHA anchor URL — a likely sign of an attempted reflected XSS or unsafe URL-injection.
Are those functions dangerous? The functions shown:
copy tries structuredClone(this) falling back to JSON deep-clone — benign by itself.
keys returns Object.keys(this) — benign.
No explicit eval()/document.write()/innerHTML/XHR/etc. shown here.
Why it’s risky anyway:
Embedding function source into a URL can be used to deliver arbitrary JS if the receiving page later evaluates or injects the parameter into page DOM or into a script context.
If the reCAPTCHA endpoint or any intermediary echoes these parameters into page HTML/JS without proper encoding, an attacker could include code that executes (e.g., adding </script><script>… or calling eval).
The presence of non-alphanumeric characters (curly braces, parentheses, comments, Unicode) indicates someone is attempting to smuggle code, not just harmless data.
Practical conclusion:
The snippet as-is is not an immediately executing payload (no obvious call to eval or DOM insertion), but it is a likely probe or part of an XSS attempt. Treat it as potentially dangerous.
If you control vulnona.com, ensure it never reflects query parameters into pages without proper encoding/escaping and use Content Security Policy and input validation.
If you saw this in browser warnings, avoid interacting with the site and report/blacklist it.
If you want, paste the full exact URL/response context and I can point to exactly which characters or patterns are most dangerous and how an attacker might turn it into executing XSS.
Last edited by barbaz on Sat Jan 17, 2026 8:48 pm, edited 1 time in total.
Reason:wrap XSS message in code tags
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147.0) Gecko/20100101 Firefox/147.0
This looks like a real attempt to XSS Google's reCAPTCHA. I've never seen other uses of reCAPTCHA doing anything like this.
Not sure what this XSS is trying to do, so best assume it is dangerous. Definitely block these requests, and consider untrusting and blocking the vulnona site if possible.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:147.0) Gecko/20100101 Firefox/147.0
Thanks for the reply. What exactly about this is dangerous? Like what can the attacker get from you if there successful? I have already used this website for months before installing noscript and didn't notice anything happen. I only just found out about XSS attacks today.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147.0) Gecko/20100101 Firefox/147.0
dreamy6477 wrote: ↑Sat Jan 17, 2026 9:22 pm
Like what can the attacker get from you if there successful?
Without knowing internal details of reCAPTCHA and how vulnerable it is to XSS, no way to be sure. The theoretical maximum would be anything reCAPTCHA might have, for example: access to your Google account if you're signed in to Google, or trying to manipulate the state of the reCAPTCHA, or using your reCAPTCHA solution on behalf of someone or something else, or anything else involving the site running *its* code in the context of & with the permissions of the reCAPTCHA site.
If none of that concerns you and you need to use this site, consider only accessing it in an isolated browser session where you do not visit any other site and where you run the browser in a disposable sandbox that gets dumped on quit. (And keep blocking the XSS requests.) You might also consider using Firefox Containers as an additional layer of protection.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.1 Mobile/15E148 Safari/604.1