xdlocalstorage@2.0.4 vulnerabilities

Cross Domain Local Storage ==========================

latest version

2.0.5
first published

8 years ago
latest version published

7 years ago
licenses detected
- Unknown
  >=0
View xdlocalstorage package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the xdlocalstorage package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Exposure of Resource to Wrong Sphere xdlocalstorage is a lightweight js library which implements LocalStorage interface and support cross domain storage by using iframe post message communication. Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere. The `postData()` function in `xdLocalStoragePostMessageApi.js` specifies the wildcard (`*`) as the targetOrigin when calling the `postMessage()` function on the `parent` object. Therefore any domain can load the application hosting the "magic iframe" and receive the messages that the "magic iframe" sends. How to fix Exposure of Resource to Wrong Sphere? A fix was pushed into the `master` branch but not yet published.	>=0.0.0
M Open Redirect xdlocalstorage is a lightweight js library which implements LocalStorage interface and support cross domain storage by using iframe post message communication. Affected versions of this package are vulnerable to Open Redirect. The `buildMessage()` function in `xdLocalStorage.js` specifies the wildcard (`*`) as the `targetOrigin` when calling the `postMessage()` function on the iframe object. Therefore, any domain that is currently loaded within the iframe can receive the messages that the client sends. How to fix Open Redirect? There is no fixed version for `xdlocalstorage`.	*
H Information Exposure xdlocalstorage is a lightweight js library which implements LocalStorage interface and support cross domain storage by using iframe post message communication. Affected versions of this package are vulnerable to Information Exposure. The `receiveMessage()` function in `xdLocalStorage.js` does not implement any validation of the origin of web messages. Remote attackers who can entice a user to load a malicious site can exploit this issue to impact the confidentiality and integrity of data in the local storage of the vulnerable site via malicious web messages. How to fix Information Exposure? There is no fixed version for `xdlocalstorage`.	*
H Information Exposure xdlocalstorage is a lightweight js library which implements LocalStorage interface and support cross domain storage by using iframe post message communication. Affected versions of this package are vulnerable to Information Exposure. The `receiveMessage()` function in `xdLocalStoragePostMessageApi.js` does not implement any validation of the origin of web messages. Remote attackers who can entice a user to load a malicious site can exploit this issue to impact the confidentiality and integrity of data in the local storage of the vulnerable site via malicious web messages. How to fix Information Exposure? There is no fixed version for `xdlocalstorage`.	*

Go back to all versions of this package

xdlocalstorage@2.0.4 vulnerabilities

Cross Domain Local Storage ==========================

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities