It's not an XSS attack per se but if one of the trusted sites, A, has been compromised by an XSS attack, with the ability to inject a script then this attack can be leveraged to also compromise the access credentials to site B (steemit in this case) by redirecting the login attempt on site B to a malicious imitation of site B's login page.

AFAIK nofollow and noopener don't fix the issue on Safari and other old versions of popular browsers.