Insufficient Verification of Data Authenticity
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-345: Insufficient Verification of Data Authenticity |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The code listens for ‘message’ events (e.g., from postMessage) but does not check the origin of the messages received. This allows messages from any website or iframe to be processed, regardless of their trustworthiness.
Impact#
An attacker could send malicious messages from another origin, potentially causing your application to execute harmful actions or leak sensitive data. This can lead to security issues like cross-site scripting (XSS), data theft, or unauthorized actions within your app.