Temporary data caches cleared when user logs out or uninstalls

Why it matters

GDPR Art. 5(1)(e) requires personal data not be retained longer than necessary — cached session data that survives a logout or uninstall violates this principle. A user who logs out of an extension expecting their session to be cleared can still have their data re-accessed if the extension is re-opened without re-authentication. GDPR Art. 17 (right to erasure) is practically impossible to honor if cached data persists beyond logout. CWE-212 (Improper Removal of Sensitive Information Before Storage or Transfer) covers this failure. Uninstall handlers that do not clear extension storage leave personal data on the user's device indefinitely — often forgotten and never cleaned up.

Remediation

Implement a logout() function that clears all session state, and hook it to the extension's uninstall event:

function logout() {
  // Clear in-memory state
  currentUser = null;
  sessionCache = {};

  // Clear extension storage keys written during the session
  chrome.storage.local.remove(['authToken', 'sessionId', 'cachedProfile']);
}

// Clear on uninstall — chrome.runtime.setUninstallURL can trigger server-side cleanup
// For local cleanup, use onSuspend in MV2 or alarm-based cleanup in MV3
chrome.storage.local.get(null, (items) => {
  const sessionKeys = Object.keys(items).filter(k => k.startsWith('session_'));
  chrome.storage.local.remove(sessionKeys);
});

Document which storage keys are session-scoped vs. persistent preferences, and ensure logout() targets only session keys to avoid destroying legitimate user settings on re-install.

Detection

ID: extension-data-privacy.third-party-sharing.cache-cleanup
Severity: low
What to look for: Examine the logout flow and uninstall handlers. Check whether temporary caches (in-memory state, sessionStorage, temporary IndexedDB tables, or chrome.storage.local session data) are cleared when the user logs out or the extension is uninstalled.
Pass criteria: Count all storage keys written during a session. Logout must clear at least 100% of session-specific keys (in-memory caches and session storage). Uninstall handler clears all temporary data (optional: can keep preferences if user reinstalls, but session data should be cleared).
Fail criteria: Logout does not clear cached data. Cache entries persist after logout and can be re-accessed. Uninstall does not trigger cleanup.
Skip (N/A) when: The extension has no logout flow (no user accounts), or no temporary caches are maintained.
Detail on fail: Example: "User logs out but authToken remains in chrome.storage.local, accessible if extension is used again" or "In-memory cache of user profile is not cleared on logout; private data persists."

Remediation: Clear caches on logout and uninstall:

function logout() {
  // Clear memory
  currentUser = null;
  sessionCache = {};

  // Clear temporary storage
  chrome.storage.local.remove(['authToken', 'sessionId']);

  // Clear IndexedDB temp tables if needed
  indexedDB.deleteDatabase('tempData');
}

chrome.runtime.onInstalled.addListener(({ reason }) => {
  if (reason === 'chrome_update') return;
  // Optional: clear all data on uninstall
  chrome.storage.local.clear();
});

Why it matters

Remediation

Implement a logout() function that clears all session state, and hook it to the extension's uninstall event:

function logout() {
  // Clear in-memory state
  currentUser = null;
  sessionCache = {};

  // Clear extension storage keys written during the session
  chrome.storage.local.remove(['authToken', 'sessionId', 'cachedProfile']);
}

// Clear on uninstall — chrome.runtime.setUninstallURL can trigger server-side cleanup
// For local cleanup, use onSuspend in MV2 or alarm-based cleanup in MV3
chrome.storage.local.get(null, (items) => {
  const sessionKeys = Object.keys(items).filter(k => k.startsWith('session_'));
  chrome.storage.local.remove(sessionKeys);
});

Document which storage keys are session-scoped vs. persistent preferences, and ensure logout() targets only session keys to avoid destroying legitimate user settings on re-install.

Detection

ID: extension-data-privacy.third-party-sharing.cache-cleanup
Severity: low
What to look for: Examine the logout flow and uninstall handlers. Check whether temporary caches (in-memory state, sessionStorage, temporary IndexedDB tables, or chrome.storage.local session data) are cleared when the user logs out or the extension is uninstalled.
Pass criteria: Count all storage keys written during a session. Logout must clear at least 100% of session-specific keys (in-memory caches and session storage). Uninstall handler clears all temporary data (optional: can keep preferences if user reinstalls, but session data should be cleared).
Fail criteria: Logout does not clear cached data. Cache entries persist after logout and can be re-accessed. Uninstall does not trigger cleanup.
Skip (N/A) when: The extension has no logout flow (no user accounts), or no temporary caches are maintained.
Detail on fail: Example: "User logs out but authToken remains in chrome.storage.local, accessible if extension is used again" or "In-memory cache of user profile is not cleared on logout; private data persists."

Remediation: Clear caches on logout and uninstall:

function logout() {
  // Clear memory
  currentUser = null;
  sessionCache = {};

  // Clear temporary storage
  chrome.storage.local.remove(['authToken', 'sessionId']);

  // Clear IndexedDB temp tables if needed
  indexedDB.deleteDatabase('tempData');
}

chrome.runtime.onInstalled.addListener(({ reason }) => {
  if (reason === 'chrome_update') return;
  // Optional: clear all data on uninstall
  chrome.storage.local.clear();
});

Temporary data caches cleared when user logs out or uninstalls

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Temporary data caches cleared when user logs out or uninstalls

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History