Homepage
About Snyk

Open Redirect Affecting xdlocalstorage package, versions *

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.08% (34th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-XDLOCALSTORAGE-2314894
  • published 10 Dec 2021
  • disclosed 9 Dec 2021
  • credit GrimHacker
Report a new vulnerability Found a mistake?

Introduced: 9 Dec 2021

CVE-2020-11611 Open this link in a new tab
CWE-601 Open this link in a new tab

How to fix?

There is no fixed version for xdlocalstorage.

Overview

xdlocalstorage is a lightweight js library which implements LocalStorage interface and support cross domain storage by using iframe post message communication.

Affected versions of this package are vulnerable to Open Redirect. The buildMessage() function in xdLocalStorage.js specifies the wildcard (*) as the targetOrigin when calling the postMessage() function on the iframe object. Therefore, any domain that is currently loaded within the iframe can receive the messages that the client sends.

References

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
6.1 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    Required
  • Scope (S)
    Changed
  • Confidentiality (C)
    Low
  • Integrity (I)
    Low
  • Availability (A)
    None
Expand this section

NVD

6.1 medium