CVE-2015-9545
Description
An issue was discovered in xdLocalStorage through 2.0.5. The receiveMessage() function in xdLocalStorage.js does not implement any validation of the origin of web messages. Remote attackers who can entice a user to load a malicious site can exploit this issue to impact the confidentiality and integrity of data in the local storage of the vulnerable site via malicious web messages.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
xdlocalstoragenpm | <= 2.0.5 | — |
Affected products
2- xdLocalStorage/xdLocalStoragedescription
Patches
Vulnerability mechanics
Root cause
"Missing origin validation in the receiveMessage() function allows arbitrary web messages to manipulate local storage."
Attack vector
An attacker hosts a malicious web page that the victim visits. The malicious page uses `postMessage` to send crafted messages to the target site's iframe (the xdLocalStorage bridge). Because `receiveMessage()` does not validate the origin of incoming messages [CWE-20], the attacker can read, write, or delete arbitrary local storage entries belonging to the vulnerable site. The attack requires only that the victim's browser loads the attacker's page while the target site's iframe is also present.
Affected code
The vulnerable code is in the `receiveMessage()` function within `xdLocalStorage.js`. This function handles incoming `postMessage` events but performs no validation of the `event.origin` property, allowing any origin to send messages that are processed as legitimate storage operations.
What the fix does
No patch is included in the bundle. The advisory states that the `receiveMessage()` function in `xdLocalStorage.js` does not implement any validation of the origin of web messages. To remediate the issue, the library should check the `event.origin` property of incoming postMessage events against a whitelist of allowed origins before processing the message data.
Preconditions
- inputThe victim must load a malicious web page in their browser.
- configThe target site must be using the xdLocalStorage library with an iframe for cross-domain storage.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-76qm-4f93-fg6fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-9545ghsaADVISORY
- github.com/ofirdagan/cross-domain-local-storage/issues/17ghsax_refsource_MISCWEB
- github.com/ofirdagan/cross-domain-local-storage/pull/19ghsax_refsource_MISCWEB
- grimhacker.com/exploiting-xdlocalstorage-localstorage-and-postmessage/ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.