CWE-539 Information Exposure Through Persistent Cookies or Browser Storage
What this means
SiteShadow flagged sensitive data being stored in browser-accessible storage (persistent cookies, localStorage, sessionStorage) where it can be recovered or stolen (especially in the presence of XSS).
Why it matters
Persisted data can be recovered or abused by attackers.
- XSS turns into account takeover if tokens are stored in JS-accessible storage.
- Persistence increases blast radius: data stays after logout, tab close, and can be extracted later.
- Shared devices: persistent storage leaks across users on the same machine/browser profile.
Safer examples
1) Prefer HttpOnly cookies for session tokens
HttpOnly cookies aren't readable by JavaScript, reducing XSS token theft (see S02 / CWE-614).
2) Minimize what you store in the browser
Avoid storing secrets; store opaque identifiers and fetch sensitive data from the server as needed.
3) Reduce lifetime and scope
Short expirations, revocation, and least-privilege scopes (see TOK01).
How SiteShadow detects it (high level)
- Detects sensitive values being written to
localStorage/sessionStorageor persistent cookies. - Flags "token-like" keys stored in browser-accessible contexts.
References
- CWE-539: https://cwe.mitre.org/data/definitions/539.html
---