Will It Vibe logoWill It Vibe?
PRIVACY-014Medium severity-8 points

PII stored in localStorage/sessionStorage

Part of Documentation, UX & Accessibility, which counts for 15% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A non-auth PII field (SSN, card number, DOB, passport, license, tax id) is written to localStorage/sessionStorage, which any script on the page can read and which never expires on its own.

Why it matters

localStorage and sessionStorage are readable by any JavaScript running on the page, including a malicious script injected through an unrelated XSS bug, a compromised third-party dependency, or a browser extension. Storing a Social Security Number, date of birth, or card number there leaves it sitting in plaintext on the user's device indefinitely (localStorage has no expiry), with no server-side control over who can delete it. It also complicates data-deletion requests under privacy law, since the data now lives outside any system the backend can purge on request.

How to fix it

Keep this data server-side and send only what the current view needs, re-fetching it when required instead of caching it in browser storage. If the client genuinely needs to remember something about the user across page loads, store a non-sensitive reference (like a user id) and look up the sensitive value from the server when it is actually needed.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Documentation, UX & Accessibility checks