Users that use Cross-Origin communication and send sensitive information make it possible for this data to be intercepted.
This is not a big impact because it happens only on the same browser.
It has been patched in version 1.10.0
The only workaround is to not send sensitive information with sysend messages.