Earlier this week I saw this tweet by @Sansec float by:
// Detect dark theme
var iframe = document.getElementById('tweet-133661485004738150...
For further actions, you may consider blocking this person and/or reporting abuse
I'm not sure if this is intentionally clickbaitey, but there's nothing new or particularly special about this attack vector. If an attacker can inject the code containing the
evalorFunction, they already own your site. The fact the payload happens to be stored in a CSS custom property has nothing to do with it.