I can't see any risk.
The only unvalidated data external to the browser is
${ssw:encodeJS(header['policy-signout'])}
which is correctly being JS encoded. Maybe Fortify isn't picking up on this fact.
You could try splitting that line (as a test) just to make sure it is the encodejs
that is not being recognised as executing JS encoding.
var policySignout = "${ssw:encodeJS(header['policy-signout'])}";
window.location.href = window.location.protocol + "//" + window.location.host + window.appSettings.context + "/?" + policySignout;