Aside from the obvious JavaScript injections and framework exploits, check for
- multiple redirects
- \u-encoded JavaScript code
- broken or too permissive CORS along with suspicious backend name
Then, check different website URLs on Virustotal URL checker and use yaronelh/False-Positive-Center to report false positives.
Enjoy.