PIVX-Labs · JSKitty · Jul 10, 2023 · Jul 8, 2023 · Jul 8, 2023
diff --git a/scripts/global.js b/scripts/global.js
@@ -10,7 +10,7 @@
    decryptWallet,
    getNewAddress,
    getDerivationPath,
    LegacyMasterKey,
 } from './wallet.js';
 import { getNetwork, HistoricalTxType } from './network.js';
 import {
@@ -1378,8 +1378,10 @@
  * Imports a wallet using the GUI input, handling decryption via UI
  */
 export async function guiImportWallet() {
-    const fEncrypted =
-        doms.domPrivKey.value.length >= 128 && isBase64(doms.domPrivKey.value);
+    // Important: These fields will be wiped by importWallet();
+    const strPrivKey = doms.domPrivKey.value;
+    const strPassword = doms.domPrivKeyPassword.value;
+    const fEncrypted = strPrivKey.length >= 128 && isBase64(strPrivKey);
 
     // If we are in testnet: prompt an import
     if (cChainParams.current.isTestnet) return importWallet();
@@ -1388,8 +1390,6 @@
     if (!(await hasEncryptedWallet()) && !fEncrypted) return importWallet();
 
     // If we don't have a DB wallet and the input is ciphered:
-    const strPrivKey = doms.domPrivKey.value;
-    const strPassword = doms.domPrivKeyPassword.value;
     if (!(await hasEncryptedWallet()) && fEncrypted) {
         const strDecWIF = await decrypt(strPrivKey, strPassword);
         if (!strDecWIF || strDecWIF === 'decryption failed!') {
@@ -1407,6 +1407,9 @@
                     encWif: strPrivKey,
                 });
             }
+            // Destroy residue import data
+            doms.domPrivKey.value = '';
+            doms.domPrivKeyPassword.value = '';
             return;
         }
     }
@@ -1443,6 +1446,8 @@
     createAlert('success', ALERTS.NEW_PASSWORD_SUCCESS, [], 5500);
 
     $('#encryptWalletModal').modal('hide');
+    doms.domEncryptPasswordFirst.value = '';
+    doms.domEncryptPasswordSecond.value = '';
 
     doms.domWipeWallet.hidden = false;
 }
@@ -1727,10 +1732,12 @@
             html: `${strHTML}<input type="password" id="restoreWalletPassword" placeholder="Wallet password" style="text-align: center;">`,
         })
     ) {
+        // Fetch the password from the prompt, and immediately destroy the prompt input
+        const domPassword = document.getElementById('restoreWalletPassword');
+        const strPassword = domPassword.value;
+        domPassword.value = '';
+
         // Attempt to unlock the wallet with the provided password
-        const strPassword = document.getElementById(
-            'restoreWalletPassword'
-        ).value;
         if (await decryptWallet(strPassword)) {
             doms.domRestoreWallet.hidden = true;
             doms.domWipeWallet.hidden = false;

diff --git a/scripts/wallet.js b/scripts/wallet.js
@@ -584,7 +584,7 @@
    fRaw = false,
    isHardwareWallet = false,
    skipConfirmation = false,
    fSavePublicKey = false,
    fStartup = false,
 } = {}) {
    const strImportConfirm =
@@ -841,6 +841,10 @@
         doms.domMnemonicModalButton.onclick = () => {
             res(doms.domMnemonicModalPassphrase.value);
             $('#mnemonicModal').modal('hide');
+
+            // Wipe the mnemonic displays of sensitive data
+            doms.domMnemonicModalContent.innerText = '';
+            doms.domMnemonicModalPassphrase.value = '';
         };
         $('#mnemonicModal').modal('show');
     });