I've fixed this exact vulnerability (sans QR code) for a client of mine in the last 2 years. I place the cause for these kinds of issues on the split between "frontend" and "backend" developers, with many frontend developers coming out of code camps able to build client-side rendered single page applications and being very proficient in JavaScript but not having experience with aspects of security-related software design. Back in the olden days, coming through learning PHP which was all server-side, you got a lot more exposure to that. Less so with these React-heavy code camps.