Result: 7/10
Arbitrary Code Execution
XSS occours when a website uses a service from another website with code/script injected. CSRF occours when a website has a copy of request structure of a service from another website and can execute it without notice.
To prevent code injection, or mispeled characters that can act like code that can be executed.
To have access to a service of a website without username or password, or delete databases to slowdown a company, or get control of the system by getting access of administrator account.
The server have no control over what these clients are doing when using any service provided, they can changes the website copy, i.e. HTML/CSS/JavaScript, to gain an advantage or do something malicious when requesting this service. By also validating in the server side, it can deny this request and reload the page and prevent that something going really bad, and perhaps show "Something went wrong" to the user.
The source code is open to anyone view, audit and collaborate to the software; when a vulnerability is encountered anyone can solve and submit a fix, so the software tends to be really more secure.
Lack of access to other software that is not in the store or has not yet been audited by the store.
Can prevent code injection and cross website redirection.
When submitting a form, for exemple submitting a payment form with my credentials and credit card information on a web service like amazon.com.
This exploit maybe can stole user data from server database, by randomly retriving small peaces of data in every heartbeat request provided by the TLS session.