localStorage and app publishing

Hello Everyone!

I’m publishing an update for our public app which utilizes browser storage via localStorage.setItem to store the ID of the user for the remote system. This ID is later retrieved when user makes the same action, thus saving the user time as it does not have to look for itself on the list, but the value is already preset. It was not a problem before, but now when I submitted the app and I’m receiving an automated message:

Fix the below Security issues:

Issue 1 :
Title : localStorage write
Description : Sensitive data in localStorage can be exposed if other vulnerabilities such as XSS are exploitable.
Impact : Audit
File Name : project/app/scripts/app.js
Line Number : 138

In app publishing guidelines I cannot find any reference that would say to not use localStorage. We are not storing any sensitive information.

How can this be fixed?

One way would be to implement freshdesk fdk app storage, but that would introduce new logic, while this is a simple update for recent domain whitelisting changes and also to bump the platform version to 2.2, we would like to avoid complex solutions.

Thank you all!

1 Like

Thanks for bringing this up @Peteris_Kuskis1, and apologies for the confusion.

Looks like usage of localStorage is discouraged as part of a renewed security focus the Platform has adapted with version 2.2. The exact expectation (to use localStorage or not) isn’t documented yet. Partly because localStorage can be used to store sensitive credentials, while it has some genuine uses as well, like in your case. This needs further discussion to come to a recommendation.

Meanwhile, there can be two ways out of this:

  • Use Data Storage Methods as you’ve mentioned. I understand this needs extra work as it adds additional logic to maintain, but not a lot
  • Wait for app review to clear the submission to go through. If not, you will likely need to implement data methods
1 Like