@eveh NodeBB provides the bare minimum to allow browsers to expose the "Install as App" button (instead of "Add to Home Screen"). You'll have to inspect the menu options in your mobile browser.
Unsolved Bootbox 5.5.2 Cross-Site Scripting
I don't know what Bootbox is for, but evidently NodeBB 1.18.4 depends on Bootbox 5.5.2, which has a cross-site scripting vulnerability according to npm audit.
Bootbox is used to show modals and alerts. You can test it by running
bootbox.alert('hello')in your browser console.
The vulnerability mentioned comes from bootbox allowing any html to be passed in. For example
For the full discussion you can check https://github.com/makeusabrew/bootbox/issues/661