Depends on the data stored or applies in any implementation?
Yes it depends of the data stored.
Localstorage saves data into the users browser, it is persistent and survives system reboots or shutdowns. Sessionstorage functions almost in the same way, but the data is only saved until the window or the tab is closed.
Saving sensitive information like credentials or session tokens on a localstorage is insecure because of it’s inherent characteristics, any XSS attack can extract data from the storage, also the data could be changed with the same method. Using cookies with the httponly flag is the best way to deal with session tokens and sensitive user information.
Then, there’s no difference between Localstorage and Sessionstorage in the XSS scenario?
Where is the right place to store sensitive information like tokens or credentials?
As I said up there:
Using cookies with the httponly flag is the best way to deal with session tokens and sensitive user information