Jitsi also hosts a public instance, with millions of monthly active users. An attacker runs a meeting called `MiniGinger` on the public Jitsi instance meet.jit.si. This code opens the new window with the current URL, while in the current window, which stays in the background, opens the Jitsi link. I think, at the very least, they should remove it from the public instance, where the security risk is at its highest. July 23, 2025: I waited for them for over a month for their response, then I published this post.