Impact
Request data used to authenticate customers was inadvertently cached in the browser's local storage mechanism, including credentials. A malicious user with direct access to the browser could extract the email and password.
Versions prior to 2.10.0 persisted the cache even after the user logged out.
Patches
The team is working on changing the caching policy of Saleor SDK. As Saleor SDK is not caching the responses, we're opening this advisory in Saleor Storefront instead.
Workarounds
A workaround is to manually clear application data (browser's local storage) after logging into Saleor Storefront.
References
https://cwe.mitre.org/data/definitions/312.html
For more information
If you have any questions or comments about this advisory:
Impact
Request data used to authenticate customers was inadvertently cached in the browser's local storage mechanism, including credentials. A malicious user with direct access to the browser could extract the email and password.
Versions prior to 2.10.0 persisted the cache even after the user logged out.
Patches
The team is working on changing the caching policy of Saleor SDK. As Saleor SDK is not caching the responses, we're opening this advisory in Saleor Storefront instead.
Workarounds
A workaround is to manually clear application data (browser's local storage) after logging into Saleor Storefront.
References
https://cwe.mitre.org/data/definitions/312.html
For more information
If you have any questions or comments about this advisory: