Yeah its a vulnerability.
One approach is to enable an X-XSS-Protection header. You can do this in the web.config.
Custom Header as in the following config entry.
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
<add name="X-XSS-Protection" value="1; mode=block" />
</customHeaders>
</httpProtocol>
And configure the IIS response header as well.

william xifaras