In this case, if awesomejslibrary.com is compromised and their minified.js script gets altered to:
Loop through all data in local storage
Send it to an API built to collect stolen information
... then you are completely screwed.
The implication is that if you don't store anything in local storage this scenario is totally fine, but of course the attacker can do anything they like, including log username/password combinations, so you are still completely screwed.
You also say:
Make sure that your cookie library also sets the SameSite=strict cookie flag (to prevent CSRF attacks)
And that's your only mention of CSRF. Well good luck to any readers who implemented that as their sole defence against CSRF.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
You say that:
The implication is that if you don't store anything in local storage this scenario is totally fine, but of course the attacker can do anything they like, including log username/password combinations, so you are still completely screwed.
You also say:
And that's your only mention of CSRF. Well good luck to any readers who implemented that as their sole defence against CSRF.