Javascript Sensitive Information Indexeddb
Description
This detector identifies when sensitive information is being stored in IndexedDB in JavaScript applications. IndexedDB data persists locally on the user's device and may be accessible to other scripts or applications, creating a risk of sensitive data exposure.
Detection Strategy
• Scans JavaScript code for usage of IndexedDB APIs that may store sensitive information
• Triggers when code uses IndexedDB operations (such as object store transactions, put operations, or add operations) in contexts where sensitive data might be stored
• Reports vulnerabilities when sensitive information handling patterns are detected in conjunction with IndexedDB storage operations
Vulnerable code example
function saveUserData() {
const password = document.referrer; // External data source
const request = indexedDB.open("appDB", 1);
request.onsuccess = function () {
const db = request.result;
const tx = db.transaction("users", "readwrite");
const store = tx.objectStore("users");...✅ Secure code example
function saveUserData() {
const password = document.referrer; // External data source
const request = indexedDB.open("appDB", 1);
request.onsuccess = function () {
const db = request.result;
const tx = db.transaction("users", "readwrite");
const store = tx.objectStore("users");...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.