F-2025-0011·information-disclosure

Information disclosure through console logging

Fixedtypescriptwidgetrouter-api
TL;DR

Sensitive runtime data was logged to the browser console, leaking implementation details and potentially session data to anyone with devtools open or to remote-debug bridges.

Severity
LOW
Impact
LOW
Likelihood
LOW
Method
MManual review
CAT.
Complexity
LOW
Exploitability
LOW
02Section · Description

Description

The widget logged sensitive runtime objects (auth/session data, account details, internal state) to the browser console. While not directly exploitable, this leaks implementation details and session information to anyone observing the console.

03Section · Recommendation

Recommendation

Remove sensitive console.log calls from production builds. Use a structured logger that drops sensitive fields by default.

Initia: Resolved. Pashov Audit Group: Resolved.

Status
Fixed
Fix commit
de9d3602dc1a
Fix date
2025-06-23
ZEALYNX SECURITY · published 2025-06-23
F-2025-0011