@Skizzerz noticed that the "Load multiple files" variant of this popular site JS snippet: https://www.mediawiki.org/wiki/Snippets/Load_JS_and_CSS_by_URL didn't validate the 'use' parameter and allowed for XSS attacks with an URL like http://example.com/wiki/Foo?use=MediaWiki:Whatever%26title%3DUser%3AEvil%2Fevil.js (assuming you have registered an account as user 'Evil' and created the page 'User:Evil/evil.js'). The snippet is fixed now: https://www.mediawiki.org/w/index.php?title=Snippets/Load_JS_and_CSS_by_URL&diff=2463924&oldid=2447017 but who knows where it was copied.
Note, the normal variant is not vulnerable (although it is heart-attack-inducing). From a quick glance, our major sites (Wikipedia, Commons, Meta) use the safe normal variant in their MediaWiki:Common.js pages, but we should mwgrep or something to check them all. And maybe we should put out a notice somewhere for third parties?