Grimhacker

**Name of the Vulnerable Software and Affected Versions** xdLocalStorage versions 2.0.5 and earlier **Description** An issue was discovered in the `postData()` function in `xdLocalStoragePostMessageApi.js`, which specifies the wildcard (`*`) as the `targetOrigin` when calling the `postMessage()` function on the parent object. This allows any domain to load the application hosting the "magical iframe" and receive the messages that the "magical iframe" sends. **Recommendations** For versions 2.0.5 and earlier, consider disabling the `postData()` function in `xdLocalStoragePostMessageApi.js` until a patch is available to prevent any domain from receiving messages from the "magical iframe". Restrict access to the "magical iframe" to minimize the risk of exploitation. Avoid using the wildcard (`*`) as the `targetOrigin` in the `postMessage()` function to prevent unauthorized domains from receiving messages.

**Name of the Vulnerable Software and Affected Versions** xdLocalStorage versions 2.0.5 and earlier **Description** An issue was discovered in the `buildMessage()` function in xdLocalStorage.js, which specifies the wildcard (*) as the `targetOrigin` when calling the `postMessage()` function on the iframe object. This allows any domain currently loaded within the iframe to receive the messages that the client sends. **Recommendations** For versions 2.0.5 and earlier, consider restricting access to the `buildMessage()` function in xdLocalStorage.js until a patch is available. As a temporary workaround, avoid using the wildcard (*) as the `targetOrigin` when calling the `postMessage()` function on the iframe object to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.