This means an attacker can construct a URL with malicious JavaScript in the URI fragment...
Dangerous use of innerHTML
window.addEventListener('load', function() { const page = window.location.hash.substr(1); loadPage(page); document.getElementById('page-no').innerHTML = page; });