Bypass chain: This page was loaded via ds.alipay.com open redirect → alipays:// deeplink → Alipay WebView. The trusted domain (ds.alipay.com) acts as a redirect gateway, bypassing any URL whitelist checks. Result: attacker page at innora.ai gains full JSBridge access identical to CVE-1, but through a whitelisted entry point.
Checking environment...