CVE-2015-9544: 
JavaScript vulnerability analysis and mitigation

An issue was discovered in xdLocalStorage through 2.0.5, where the receiveMessage() function in xdLocalStoragePostMessageApi.js lacks validation of the origin of web messages. The vulnerability was identified in April 2020 and affects all versions of the library from 1.0.1 (released 2014-04-17) to 2.0.5 (released 2017-04-14) (NVD, GrimHacker).

The vulnerability exists in the receiveMessage() function which processes incoming web messages. The function only checks if the message can be parsed as JSON and if it contains the correct namespace attribute, without validating the origin of the message. The CVSS v3.1 base score is 7.1 HIGH (Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) (NVD).

Remote attackers who can entice a user to load a malicious site can exploit this vulnerability to impact the confidentiality and integrity of data in the local storage of the vulnerable site via malicious web messages. The attacker can potentially read and manipulate any data stored in the local storage of the domain hosting the vulnerable component (NVD, GrimHacker).

The issue was reported in August 2015 with a pull request that included functionality to whitelist origins, but it has not been merged as of July 2016. Since the last commit to the project was in August 2018, users should consider replacing this library with a maintained alternative that includes robust origin validation, or implement validation within the existing library (GitHub Issue, GitHub PR).