An issue was discovered in xdLocalStorage through 2.0.5. The buildMessage() function in xdLocalStorage.js specifies the wildcard (*) as the targetOrigin when calling the postMessage() function on the iframe object. Therefore any domain that is currently loaded within the iframe can receive the messages that the client sends.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| xdlocalstorage(npm) | 0 | N/A | N/A |
CVSS Metrics
