CVE-2015-9545: 
JavaScript vulnerability analysis and mitigation

An issue was discovered in xdLocalStorage through 2.0.5. The receiveMessage() function in xdLocalStorage.js does not implement any validation of the origin of web messages. This vulnerability allows remote attackers who can entice a user to load a malicious site to impact the confidentiality and integrity of data in the local storage of the vulnerable site via malicious web messages (NVD, GrimHacker).

The vulnerability exists in the receiveMessage() function in xdLocalStorage.js which lacks origin validation for incoming web messages. The only requirements for message processing are: the message must be a string parseable as JSON, the data.namespace attribute must match the configured MESSAGE_NAMESPACE, and the data.id attribute must match a pending requestId. This implementation allows malicious domains to send messages that meet these basic requirements, potentially causing their malicious data to be processed by the callback configured by the vulnerable application (GrimHacker). The vulnerability has a CVSS v3.1 Base Score of 7.1 HIGH (Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) (NVD).

The vulnerability allows attackers to manipulate and access data in the local storage of the vulnerable site. By exploiting this issue, an attacker could potentially retrieve all information from local storage and send it to their controlled domain, as well as modify stored data which may impact the security of the client application (GrimHacker).

The issue was reported in August 2015 with a pull request that included functionality to whitelist origins, but it has not been accepted. As the last commit on the project was in August 2018, a fix from the project maintainer may not be forthcoming. Organizations should consider replacing this library with a maintained alternative that includes robust origin validation, or implement validation within the existing library (GrimHacker).

The vulnerability was initially reported through GitHub Issue #17 by user Hengjie in August 2015. A pull request (#19) was submitted with a fix to implement origin whitelisting, but it has remained unmerged since July 2016. The library continues to have approximately 350 weekly downloads on npmjs.com as of March 2020, despite the known security issues (GitHub Issue, GitHub PR).