cross-domain-local-storage-separately is vulnerable to information disclosure. The buildMessage()
function in xdLocalStorage.js
allows the wildcard () as the targetOrigin when calling the postMessage()
function on the iframe object, allowing any domains with iframe to accept requests from clients.
CPE | Name | Operator | Version |
---|---|---|---|
cross-domain-local-storage-separately | eq | 1.0.0 |