Insufficient Verification of Data Authenticity
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-345: Insufficient Verification of Data Authenticity |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
Using window.postMessage() with a target origin of ‘*’ allows any website to receive sensitive messages from your application. This means data could be exposed to untrusted or malicious origins.
Impact#
An attacker hosting a malicious site could intercept messages meant for trusted domains, potentially gaining access to sensitive information or credentials. This can lead to data leaks, unauthorized actions, and compromise of user security within your application.