SYM_JSTS_0083 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Insufficient Verification of Data Authenticity
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-345: Insufficient Verification of Data Authenticity |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description
Using window.postMessage() with a target origin of '*' allows any website to receive sensitive messages from your application. This means data could be exposed to untrusted or malicious origins.
Impact
An attacker hosting a malicious site could intercept messages meant for trusted domains, potentially gaining access to sensitive information or credentials. This can lead to data leaks, unauthorized actions, and compromise of user security within your application.