The trend of storing auth tokens in localStorage rather than httpOnly cookies is a problematic trend due to vulnerabilities like this. If you can exfiltrate an authtoken then one gets long lived access to the system.