"Somewhat" is kind of important here. In practice you can easily just test 10 or so most common router ip addresses in under 5 seconds. And probably get a 95% hit ratio:

192.168.1.1 192.168.0.1 192.168.2.1 192.168.10.1 192.168.100.1 10.0.0.1 172.30.0.1 172.30.1.1 172.30.1.1

Can you expand on this, please? How does it make it easier to XSS?

Well, I'm not sure about XSS, but imagine you know someone's home IP is:

192.168.1.10

Based on this, you can probably guess the router is 192.168.1.1 and maybe even have a clue about the vendor based on the IP assigning patterns.

Then you can direct them to a page with an submitting POST <form> that makes modifications to their router settings. This is more like CSRF than XSS though.

funny, of all the routers I used (all were provided by my ISP), their IP were 192.168.1.254

Previously you'd have to guess that the router was on 192.168.x.1. http://www.gironsec.com/blog/2015/01/owning_modems_and_route...

It doesn't. All major browsers block connections to 192.168.XX.XX (and any other externally unroutable IP) from external (http on the Web, not localhost) web pages.

Just tested img and iframe and they work quite happily from the web to the local network.