The gadget noted above seems to call out to google APIs (using jsonp) without telling the user that these requests aren't covered by the WMF privacy policy.
Despite of that the gadget is in a terrible state (like 99.9% of our gadgets) and eg. doing a lot of string mongering with innerHTML (XSS anyone)... but I don't think this is an issue right now as I couldn't find anything obvious on first sight.
The gadget is at least on:
enwiki
bewiki
frwikiversity
mkwikisource
(Probably way more, but mwgrep looks broken atm and I don't have the time to do more research).
Version: unspecified
Severity: normal