This android wallet has an internal browser and it incorrectly strips www. from hosts. This also affects their permission system, meaning this is the perfect bug to phish users.
They didn't answer multiple mails in 30 days, so it's being disclosed.
Oh yes because of the CSP. The CSP that allows forms that can change your settings... you could easily use the above bug to get some impact with an additional click on a form's submit button.
Admittedly, no full XSS anymore, but still dangerous and shows their lack of understanding and caring about security.
It's not the only place you can inject HTML and not every page has a CSP...
They didn't answer multiple mails in 30 days, so it's being disclosed.