See: https://urlquery.net/report/88cd8e35-f1b8-41cf-a454-94e9eff23854
3 evals in javascript - consider this codepen: https://codepen.io/rafaelcastrocouto/pen/BoOLzW
Quite some issues here: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fvendercartaobom.com.br%2Findicador%2F
Wrong certificate installed.
The domain name does not match the certificate common name or SAN.
Hostgator and Comodo cert. OCSP stapling not enabled. -http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
We can’t download CRLs from internal servers!!!
errors: https://certificate.revocationcheck.com/vendercartaobom.com.br
Nameserver versions exposed, so DROWn vuln. : https://www.dnsinspect.com/vendercartaobom.com.br/10173262
Retirable code: http://retire.insecurity.today/#!/scan/b4f4aaf5b79fbed32de169d48c7ba43d25082ae0b5009054b649c9eedbeb162d
No sri-hashes whatsoever generated: https://sritest.io/#report/2a50d92e-6416-4239-883d-36f5de2e78ed (66 issues).

Certificate anomalies indicating PHISHING behavior.

polonus (volunteer website security analyst and website error-hunter)