Closed svavantsa closed 7 years ago
Closing this as invalid as Math.random is used only for generating semi-unique ids for WAI-ARIA, and not for any particular reason where a security context comes into play.
Please delve into the purpose of the code before filing an issue, this was lazy from a infosec perspective.
Code scanning tools that look for security vulnerabilities such as hpe fortify, checkmark and others such as audits have pointed out this vulnerability.
By using a more secure method for generating random numbers, the code is going to be more secure, not dysfunctional or insecure.
I think you should reconsider.
Surya Avantsa.
On Wed, Feb 15, 2017 at 5:49 AM Wesley Cho notifications@github.com wrote:
Closing this as invalid as Math.random is used only for generating semi-unique ids for WAI-ARIA, and not for any particular reason where a security context comes into play.
Please delve into the purpose of the code before filing an issue, this was lazy from a infosec perspective.
— You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub https://github.com/angular-ui/bootstrap/issues/6457#issuecomment-279978602, or mute the thread https://github.com/notifications/unsubscribe-auth/AEXDyQTaVZgYL3WuZE8ziiMDPTBCWGB-ks5rcthDgaJpZM4L7aJv .
-- Sent from my iPhone
Surya Avantsa
Bug description:
Using Math.Random() is not a secure way of generating random numbers. They cannot withstand cryptographic attacks by hackers.
Link to minimally-working plunker that reproduces the issue:
See: https://vulncat.hpefod.com/en/weakness?category=Insecure+Randomness.
Version of Angular, UIBS, and Bootstrap
ui-bootstrap-tpls-0.13.4.min.js