Prevent storing sensitive data in IndexedDB.

⚠️ Security Issue

Property	Value
CWE	CWE-922: Insecure Storage of Sensitive Information
OWASP	A02:2021 - Cryptographic Failures
CVSS	7.5 (High)
Severity	HIGH

📋 Description

IndexedDB is accessible via JavaScript and can be stolen through XSS attacks. Sensitive data like passwords, tokens, and API keys should not be stored in client-side databases.

❌ Incorrect

// Creating object store for sensitive data
db.createObjectStore('passwords');
db.createObjectStore('secrets');
db.createObjectStore('apiKeys');

// Storing sensitive data
store.add({ password: userPassword });
store.put({ apiKey: key });

✅ Correct

// Store non-sensitive data
db.createObjectStore('preferences');
db.createObjectStore('cachedData');

// Store user preferences
store.add({ theme: 'dark', language: 'en' });

🛠️ Options

{
  "rules": {
    "@interlace/browser-security/no-sensitive-indexeddb": [
      "error",
      {
        "allowInTests": true
      }
    ]
  }
}

Known False Negatives

The following patterns are not detected due to static analysis limitations:

Dynamic Store Names

Why: Computed names not analyzed.

// ❌ NOT DETECTED - Dynamic name
const name = 'passwords';
db.createObjectStore(name);

Mitigation: Use static store names. Avoid sensitive naming.

Nested Sensitive Data

Why: Deep object properties not traced.

// ❌ NOT DETECTED - Nested data
store.put({ user: { password: pwd } });

Mitigation: Never store sensitive data in IndexedDB.

Library Wrappers

Why: IndexedDB wrappers not recognized.

// ❌ NOT DETECTED - Dexie wrapper
db.secrets.add({ apiKey: key });

Mitigation: Apply rule to wrapper implementations.

no-sensitive-indexeddb

On this page