I’m publishing an update for our public app which utilizes browser storage via localStorage.setItem to store the ID of the user for the remote system. This ID is later retrieved when user makes the same action, thus saving the user time as it does not have to look for itself on the list, but the value is already preset. It was not a problem before, but now when I submitted the app and I’m receiving an automated message:
Fix the below Security issues:
Issue 1 :
Title : localStorage write
Description : Sensitive data in localStorage can be exposed if other vulnerabilities such as XSS are exploitable.
Impact : Audit
File Name : project/app/scripts/app.js
Line Number : 138
In app publishing guidelines I cannot find any reference that would say to not use localStorage. We are not storing any sensitive information.
How can this be fixed?
One way would be to implement freshdesk fdk app storage, but that would introduce new logic, while this is a simple update for recent domain whitelisting changes and also to bump the platform version to 2.2, we would like to avoid complex solutions.
Thank you all!