Highlights
Information Disclosure: 4 prior fixes. Scrutinize any change in this area.
src/app/pages/StakingPage/Features/ValidatorMediaInfo/index.tsx: most-fixed (3 issues). Treat as high-risk during review.
1 high-severity fix in this history; regressions here are high-impact.
Recurring patterns
The bug types that recur here, drawn from past fixes, not open vulnerabilities.
Information Disclosure: Sensitive credentials (mnemonic phrases and private keys) were vulnerable to leaking through automated browser mechanisms including local autocomplete history, spelling suggestion APIs, and cloud spellcheck services. This was mitigated by explicitly disabling spellcheck, autocorrect, and autocomplete on key input fields.
DOM-based XSS: Validator-controlled metadata links were rendered without safe protocol enforcement, allowing potential javascript: URI injection and DOM XSS. This required enforcing strict validation using the valid-url library to permit only HTTP/HTTPS protocols.
Information Disclosure: Automated translation widgets (such as Google Translate) can automatically parse and transmit plaintext mnemonics rendered on-screen to third-party translation servers, necessitating explicit suppression of translation features on security-sensitive components.