CVE-2020-11611: 
JavaScript vulnerability analysis and mitigation

An issue was discovered in xdLocalStorage through 2.0.5. The buildMessage() function in xdLocalStorage.js specifies the wildcard (*) as the targetOrigin when calling the postMessage() function on the iframe object. Therefore any domain that is currently loaded within the iframe can receive the messages that the client sends (NVD).

The vulnerability exists in the buildMessage() function of xdLocalStorage.js where it uses a wildcard (*) as the targetOrigin parameter when calling postMessage(). This allows any domain loaded within the iframe to receive messages sent by the client. The vulnerability has a CVSS v3.1 Base Score of 6.1 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

If successfully exploited, an attacker who manages to redirect the 'magical iframe' loaded on the vulnerable application within the user's browser to a domain they control would have access to any information that the client sends to the iframe. Additionally, they could send messages back with a valid requestId which would then be processed by the client, potentially further impacting the security of the client application (GrimHacker).

The recommended mitigation is to replace this library with a maintained alternative which includes robust origin validation, or implement validation within the existing library. When using Web Messaging, explicitly state the targetOrigin (do not use the wildcard *) and carefully validate the origin of any received messages to ensure they are from an expected source (GrimHacker).

The issue was first reported in August 2015 when a GitHub issue was opened to notify the project owner. A pull request that included functionality to whitelist origins was submitted but has not been accepted or worked on since July 2016. The last commit on the project was in August 2018, suggesting that a fix from the project maintainer may not be forthcoming (GrimHacker).