Insecure Credential Storageweb3
All versions of
web3 are vulnerable to Insecure Credential Storage. The package stores encrypted wallets in local storage and requires a password to load the wallet. Once the wallet is loaded, the private key is accessible via LocalStorage. Exploiting this vulnerability likely requires a Cross-Site Scripting vulnerability to access the private key.
No fix is currently available. Consider using an alternative module until a fix is made available.
publishedAdvisory PublishedMay 14th, 2019
reportedReported by sshelton76May 6th, 2019