As per checkmarx scan run on our Angular Application, a security issue is being thrown on line 385 of ie11CustomProperties.js

Checkmarx description:-
The application's !function method receives and dynamically executes user-controlled code using anony1472806589var, at line 103 of ...\src\assets\js\ie11CustomProperties.js. This could enable an attacker to inject and run arbitrary code.
The attacker can inject the malicious payload into the victim's browser, via external input hash. This is read by the browser in the !function method, at line 103 of ...\src\assets\js\ie11CustomProperties.js. The browser then executes this code itself.

Line 385: var oldHash = location.hash;

Is there any alternative to it?

i just use the user-input "location.hash" as a argument for getElementById
document.getElementById(location.hash.substr(1))
I do not believe that this can be abused.
What do you think?

I have tried to replace the location.hash with location.href and manually extracting the '#' part but it is still throwing the error.
I think since the user can manipulate the URL in the browser by putting anything after # which will then be read and passed inside document.getElementById().

I think since the user can manipulate the URL in the browser by putting anything after # which will then be read and passed inside document.getElementById().

Yes, i think passing something user-generated to getElementById() is not dangerous, can not be abused.
And besides, using the ie11 itself is dangerous :)

Just a friendly note:
Please consider voting for this solution at Stackoverflow if you like my polyfill.
https://stackoverflow.com/a/57000437/4865307 and
https://stackoverflow.com/a/56830621/4865307 and
https://stackoverflow.com/a/57000620/4865307