An issue was discovered in xdLocalStorage through 2.0.5. The postData() function in xdLocalStoragePostMessageApi.js specifies the wildcard (*) as the targetOrigin when calling the postMessage() function on the parent object. Therefore any domain can load the application hosting the "magical iframe" and receive the messages that the "magical iframe" sends.
References
Link | Resource |
---|---|
https://grimhacker.com/exploiting-xdlocalstorage-localstorage-and-postmessage/#Missing-TargetOrigin-Magic-iframe | Exploit Third Party Advisory |
https://github.com/ofirdagan/cross-domain-local-storage | Product |
Configurations
Configuration 1 (hide)
|
Information
Published : 2020-04-07 11:15
Updated : 2021-07-21 04:39
NVD link : CVE-2020-11610
Mitre link : CVE-2020-11610
JSON object : View
CWE
CWE-668
Exposure of Resource to Wrong Sphere
Products Affected
cross_domain_local_storage_project
- cross_domain_local_storage