Information Exposure Affecting xdlocalstorage package, versions *
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-XDLOCALSTORAGE-2314883
- published 10 Dec 2021
- disclosed 9 Dec 2021
- credit GrimHacker
How to fix?
There is no fixed version for xdlocalstorage
.
Overview
xdlocalstorage is a lightweight js library which implements LocalStorage interface and support cross domain storage by using iframe post message communication.
Affected versions of this package are vulnerable to Information Exposure. The receiveMessage()
function in xdLocalStoragePostMessageApi.js
does not implement any validation of the origin of web messages. Remote attackers who can entice a user to load a malicious site can exploit this issue to impact the confidentiality and integrity of data in the local storage of the vulnerable site via malicious web messages.