Affected versions of this package are vulnerable to Insecure Credential Storage. The current implementation of web3.js could result in wallet decryption under certain circumstances. When a wallet is saved and encrypted into local storage, a private key is needed to load the wallet. However, this private key is available via LocalStorage and is readable in plaintext on a webpage after a wallet is loaded.
This implementation could be abused by an attacker through client-side attacks such as Cross-site Scripting (XSS) and could result in theft of a user's wallet private key.