stuff like setTimeout accepts strings too. I wonder how good those scanners are at detecting overwriting an initial innocent function that's later called in a timeout with a string, it can get fairly indirect
let harmless = { func : function() { }, harmlessExternallyLoadedString : '' };
let toAccess = 'func';
//do stuff that seems legit
if(true) {
let toAccess = 'harmlessExternallyLoadedString';
}
harmless[toAccess] = 'alert(1);'; //imagine this being a fetch request
//later on
setTimeout(harmless.func, 1);
now imagine the logic for what othervar is set to is obfuscated a bit by a more complex logic tree, and the example was a bit less contrived.