I found a possible vulnerability vector in a website with a bug bounty program, and I don't want to pass it up, but I can't figure out a way to exploit it.
The possible vector is that, when you go to an unused subdomain (owned by them but now inactive), it redirects to another one of their websites, but after running the unused subdomain in a GET request, I noticed it uses javascript to grab part of the url in the unused domain, and attaches it to the end of the newer domain that it redirects to.
Essentially, it echoes part of the original URL into a new URL using the following JS:
<script language="javascript">
var pathname = window.location.pathname;
if (pathname.charAt(0) == "/") pathname = pathname.substr(1);
window.location.href = "http://example.com/example" + pathname;
</script>
(I changed the website to example.com for security's sake)
Anyway, does anybody have any ideas for exploiting this? It seems like there must be a way, considering it doesn't filter pathname.