Let's say I make a little chat app that stores some history or some other data in local browser storage or cookies. Any other site can just as easily access all of that information. An "attacker" could link you to a modified version of the chat site that relays all of your messages to their server while still making it otherwise look like it's just the normal chat. It would also retain any client side information you had previously entered like your nick name or chat history, since it's stored in local storage.
Most of the time sanitizing input, like ensuring users don't have HTML in their names or comments, combined with domain-level separation and CORS policies ensures that one site can't do things that "leak" into another. It's the reason most of the time no matter how bad people mess things up Facebook getting hacked in your browser doesn't compromise your Google account.
That doesn't look like a new attack vector, this is called phishing, isn't it?
XSS means you can inject and persist code in a webpage maintaining the same URL accessed by other users.
If you create a bigbank-fake.com and copy a manipulated version of bigbank.com's HTML, this is not XSS.
2. Modify the parameters to hijack any relevant content
3. Reshare the smol site with your changes under the guise it’s the original link
The only reason that would be a threat is if you implicitly trusted smolsite.zip, which would be an odd thing to do.
They expend enough effort in this as to ensure the vast majority of content on GitHub pages is not malware, and avoid getting blankedly flagged as such.
It's not clear if smolsite.zip can successfully set up a similar process, given that they'll serve just any zip that's in the URL, and they won't have the manpower to verify takedown requests.
