## Nester dApp Frontend Stores Wallet Addresses in localStorage — Creates XSS and Third-Party Script Exposure Risk
A critical security concern has been raised in the Nester decentralized application frontend. The `wallet-provider.tsx` component, located at `apps/dapp/frontend/components/wallet-provider.tsx`, persistently stores the connected wallet's public key and wallet provider identifier in the browser's `localStorage` under the keys `nester_wallet_id` and `nester_wallet_addr`. While Stellar wallet addresses are technically public values visible on-chain, their placement in localStorage exposes them to a broader attack surface than a typical blockchain transaction lookup would allow.

The vulnerability means any JavaScript executing within the same browser origin can read these stored values. This includes third-party analytics scripts, CDN-served UI libraries, and browser extensions with content script permissions. In the event of a cross-site scripting (XSS) exploit, an attacker could immediately retrieve the user's wallet address and provider ID without additional effort. The issue notes that users in emerging markets frequently reuse wallet addresses across multiple services, amplifying the risk of targeted social engineering and wallet profiling.

Security analysts warn that the persistent nature of localStorage creates a durable identifier that enables cross-site tracking without the user's knowledge. Unlike session cookies with appropriate flags, localStorage data persists across sessions and lacks built-in mechanisms to restrict access by origin or script type. The GitHub issue flags this as a design pattern that deviates from privacy-preserving practices, particularly for applications handling financial identifiers. At the time of reporting, it remains unclear whether patches, mitigations, or a redesign of the wallet connection flow have been implemented to address the exposure.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: localStorage, wallet security, XSS vulnerability, third-party scripts, Stellar
- **Credibility**: unverified
- **Published**: 2026-04-22 12:27:28
- **ID**: 75937
- **URL**: https://whisperx.ai/en/intel/75937