I'm not sure if this is intentionally clickbaitey, but there's nothing new or particularly special about this attack vector. If an attacker can inject the code containing the eval or Function, they already own your site. The fact the payload happens to be stored in a CSS custom property has nothing to do with it.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I'm not sure if this is intentionally clickbaitey, but there's nothing new or particularly special about this attack vector. If an attacker can inject the code containing the
evalorFunction, they already own your site. The fact the payload happens to be stored in a CSS custom property has nothing to do with it.