xdlocalstorage 2.0.4 vulnerabilities

Known vulnerabilities in the xdlocalstorage package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Exposure of Resource to Wrong Sphere xdlocalstorage is a lightweight js library which implements LocalStorage interface and support cross domain storage by using iframe post message communication. Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere. The `postData()` function in `xdLocalStoragePostMessageApi.js` specifies the wildcard (`*`) as the targetOrigin when calling the `postMessage()` function on the `parent` object. Therefore any domain can load the application hosting the "magic iframe" and receive the messages that the "magic iframe" sends. How to fix Exposure of Resource to Wrong Sphere? A fix was pushed into the `master` branch but not yet published.	>=0.0.0
M Open Redirect xdlocalstorage is a lightweight js library which implements LocalStorage interface and support cross domain storage by using iframe post message communication. Affected versions of this package are vulnerable to Open Redirect. The `buildMessage()` function in `xdLocalStorage.js` specifies the wildcard (`*`) as the `targetOrigin` when calling the `postMessage()` function on the iframe object. Therefore, any domain that is currently loaded within the iframe can receive the messages that the client sends. How to fix Open Redirect? There is no fixed version for `xdlocalstorage`.	*
H Information Exposure xdlocalstorage is a lightweight js library which implements LocalStorage interface and support cross domain storage by using iframe post message communication. Affected versions of this package are vulnerable to Information Exposure. The `receiveMessage()` function in `xdLocalStorage.js` does not implement any validation of the origin of web messages. Remote attackers who can entice a user to load a malicious site can exploit this issue to impact the confidentiality and integrity of data in the local storage of the vulnerable site via malicious web messages. How to fix Information Exposure? There is no fixed version for `xdlocalstorage`.	*
H Information Exposure xdlocalstorage is a lightweight js library which implements LocalStorage interface and support cross domain storage by using iframe post message communication. Affected versions of this package are vulnerable to Information Exposure. The `receiveMessage()` function in `xdLocalStoragePostMessageApi.js` does not implement any validation of the origin of web messages. Remote attackers who can entice a user to load a malicious site can exploit this issue to impact the confidentiality and integrity of data in the local storage of the vulnerable site via malicious web messages. How to fix Information Exposure? There is no fixed version for `xdlocalstorage`.	*

Vulnerability

Vulnerable Version

Exposure of Resource to Wrong Sphere

xdlocalstorage is a lightweight js library which implements LocalStorage interface and support cross domain storage by using iframe post message communication.

Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere. The postData() function in xdLocalStoragePostMessageApi.js specifies the wildcard (*) as the targetOrigin when calling the postMessage() function on the parent object. Therefore any domain can load the application hosting the "magic iframe" and receive the messages that the "magic iframe" sends.

How to fix Exposure of Resource to Wrong Sphere?

A fix was pushed into the master branch but not yet published.

>=0.0.0

Open Redirect

xdlocalstorage is a lightweight js library which implements LocalStorage interface and support cross domain storage by using iframe post message communication.

Affected versions of this package are vulnerable to Open Redirect. The buildMessage() function in xdLocalStorage.js specifies the wildcard (*) as the targetOrigin when calling the postMessage() function on the iframe object. Therefore, any domain that is currently loaded within the iframe can receive the messages that the client sends.

How to fix Open Redirect?

There is no fixed version for xdlocalstorage.

Information Exposure

xdlocalstorage is a lightweight js library which implements LocalStorage interface and support cross domain storage by using iframe post message communication.

Affected versions of this package are vulnerable to Information Exposure. The receiveMessage() function in xdLocalStorage.js does not implement any validation of the origin of web messages. Remote attackers who can entice a user to load a malicious site can exploit this issue to impact the confidentiality and integrity of data in the local storage of the vulnerable site via malicious web messages.

How to fix Information Exposure?

There is no fixed version for xdlocalstorage.

Information Exposure

xdlocalstorage is a lightweight js library which implements LocalStorage interface and support cross domain storage by using iframe post message communication.

Affected versions of this package are vulnerable to Information Exposure. The receiveMessage() function in xdLocalStoragePostMessageApi.js does not implement any validation of the origin of web messages. Remote attackers who can entice a user to load a malicious site can exploit this issue to impact the confidentiality and integrity of data in the local storage of the vulnerable site via malicious web messages.

How to fix Information Exposure?

There is no fixed version for xdlocalstorage.

xdlocalstorage@2.0.4 vulnerabilities

Cross Domain Local Storage ==========================

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?