CVE-2020-11610
Description
An issue was discovered in xdLocalStorage through 2.0.5. The postData() function in xdLocalStoragePostMessageApi.js specifies the wildcard (*) as the targetOrigin when calling the postMessage() function on the parent object. Therefore any domain can load the application hosting the "magical iframe" and receive the messages that the "magical iframe" sends.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
xdlocalstoragenpm | <= 2.0.5 | — |
Affected products
2- xdLocalStorage/xdLocalStoragedescription
Patches
Vulnerability mechanics
Root cause
"The `postData()` function uses the wildcard `*` as the `targetOrigin` in `postMessage()`, allowing any domain to receive messages intended only for the parent window."
Attack vector
An attacker hosts a malicious website that loads the application containing the "magical iframe" (the xdLocalStorage iframe page). Because `postData()` specifies the wildcard `*` as the `targetOrigin` [ref_id=1], any domain can receive the postMessage events that the iframe sends. This allows an attacker's page to intercept sensitive data (such as localStorage keys and values) that the iframe transmits to its parent, violating the intended same-origin restriction [CWE-668].
Affected code
The vulnerable function is `postData()` in `xdLocalStoragePostMessageApi.js`. This function calls `postMessage()` on the parent object using the wildcard `*` as the `targetOrigin` parameter, meaning no origin restriction is applied to the recipient of the message [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory [ref_id=1] does not include a fix or remediation guidance. To close the vulnerability, the `postData()` function should specify the exact origin of the parent window (e.g., `window.parent.location.origin`) instead of the wildcard `*` when calling `postMessage()`, so that only the intended parent domain can receive the messages.
Preconditions
- networkThe victim must visit a page that loads the xdLocalStorage iframe (the 'magical iframe') while an attacker-controlled page is also loaded in the same browser context.
- inputThe attacker's page must be able to load or frame the application hosting the xdLocalStorage iframe.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-mr5m-2385-2vcpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-11610ghsaADVISORY
- github.com/ofirdagan/cross-domain-local-storage/issues/17ghsaWEB
- github.com/ofirdagan/cross-domain-local-storage/pull/19ghsaWEB
- grimhacker.com/exploiting-xdlocalstorage-localstorage-and-postmessage/ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.