document.referrer leaks hidden service to clearnet service.
Onion services might implement third-parties via clearnet like
Most of the times, these third-party scripts collects referrer via
document.referrer. In these cases
document.referrer gives access to the onion url, which is then sent to these third-parties.
Although, Tor does prevent sending referrer to clearnet sites on click(https://trac.torproject.org/projects/tor/ticket/9623), but in cases explained above, this does not hold true.
Also, because these third-parties also sends the current URL home, even in that case onion service URL is sent.