Insecure Randomness for the useof Math.random() in redrawBarForSubchart, redrawLineForSubchart and redrawAreaForSubchart(security vulnerability)
shubhamvinayak opened this issue · 2 comments
shubhamvinayak commented
- C3 version: v7.0.0
- D3 version: v5.0.0
- Browser: Chrome
- OS: Windows
Since Math.random could potentially return the same value twice and it is not cryptographically secure causing the insecure randomness when we scan the code in the fortify tool.
Please confirm if there is any future plan to remove Math.random and use cryptographically secure code for getting random values.
just by using crypto API
const myArray = new Uint32Array(10);
crypto.getRandomValues(myArray);
- redrawBarForSubchart: https://github.com/c3js/c3/blob/master/c3.esm.js#L12493
- redrawLineForSubchart: https://github.com/c3js/c3/blob/master/c3.esm.js#L12526
- redrawAreaForSubchart: https://github.com/c3js/c3/blob/master/c3.esm.js#L12562
kondalraodurgam commented
Facing same issue +1
netil commented
For those who are interested on, it has been applied to billboard.js