security: clear decrypted secrets after use (best-effort)

2026-02-27 11:36:38 -08:00
parent f13cd0fd47
commit eec96f9054
2 changed files with 11 additions and 1 deletions
--- a/src/popup/index.html
+++ b/src/popup/index.html
@@ -1018,7 +1018,12 @@
                <div
                    id="approve-sign-danger-warning"
                    class="hidden mb-3 p-2 text-xs font-bold"
-                    style="background: #fee2e2; color: #991b1b; border: 2px solid #dc2626; border-radius: 6px"
+                    style="
+                        background: #fee2e2;
+                        color: #991b1b;
+                        border: 2px solid #dc2626;
+                        border-radius: 6px;
+                    "
                ></div>

                <div class="mb-3">
--- a/src/popup/views/confirmTx.js
+++ b/src/popup/views/confirmTx.js
@@ -334,8 +334,13 @@ function init(ctx) {
                tx = await contract.transfer(pendingTx.to, amount);
            }

+            // Best-effort: clear decrypted secret after use.
+            // Note: JS strings are immutable; this nulls the reference but
+            // the original string may persist in memory until GC.
+            decryptedSecret = null;
            txStatus.showWait(pendingTx, tx.hash);
        } catch (e) {
+            decryptedSecret = null;
            const hash = tx ? tx.hash : null;
            txStatus.showError(pendingTx, hash, e.shortMessage || e.message);
        }