Homepage
About Snyk

Information Exposure Affecting xdlocalstorage package, versions *

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    0.23% (62nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-XDLOCALSTORAGE-2314905
  • published 10 Dec 2021
  • disclosed 9 Dec 2021
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 9 Dec 2021

CVE-2015-9545 Open this link in a new tab
CWE-20 Open this link in a new tab

How to fix?

There is no fixed version for xdlocalstorage.

Overview

xdlocalstorage is a lightweight js library which implements LocalStorage interface and support cross domain storage by using iframe post message communication.

Affected versions of this package are vulnerable to Information Exposure. The receiveMessage() function in xdLocalStorage.js does not implement any validation of the origin of web messages. Remote attackers who can entice a user to load a malicious site can exploit this issue to impact the confidentiality and integrity of data in the local storage of the vulnerable site via malicious web messages.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
7.1 high
  • Attack Vector (AV)
    Local
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    Required
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    None
Expand this section

NVD

7.1 high