Insecure Randomness for the useof Math.random() in redrawBarForSubchart, redrawLineForSubchart and redrawAreaForSubchart(security vulnerability)

Question

Insecure Randomness for the useof Math.random() in redrawBarForSubchart, redrawLineForSubchart and redrawAreaForSubchart(security vulnerability)

shubhamvinayak opened this issue a year ago · 2 comments

C3 version: v7.0.0
D3 version: v5.0.0
Browser: Chrome
OS: Windows

Since Math.random could potentially return the same value twice and it is not cryptographically secure causing the insecure randomness when we scan the code in the fortify tool.

Please confirm if there is any future plan to remove Math.random and use cryptographically secure code for getting random values.
just by using crypto API

const myArray = new Uint32Array(10);
crypto.getRandomValues(myArray);

redrawBarForSubchart: https://github.com/c3js/c3/blob/master/c3.esm.js#L12493
redrawLineForSubchart: https://github.com/c3js/c3/blob/master/c3.esm.js#L12526
redrawAreaForSubchart: https://github.com/c3js/c3/blob/master/c3.esm.js#L12562

Answer 1 · 2023-01-20T13:16:44.000Z

Facing same issue +1

Answer 2 · 2023-02-17T05:53:25.000Z

For those who are interested on, it has been applied to billboard.js

naver/billboard.js#3099