After noticing T289063, I looked into Impact's module code, and noticed another XSS can be exploited there. Unlike the linked task, it can be only exploited for accounts with zero edits, making it less impactful, but it needs to be addressed regardless.
Any admin can add arbitrary JavaScript code to MediaWIki:growthexperiments-homepage-impact-unactivated-suggested-edits-footer, which will be executed by homepage viewers with zero edits.