Insecure Randomness for the useof Math.random() in redrawBarForSubchart, redrawLineForSubchart and redrawAreaForSubchart(security vulnerability)

shubhamvinayak commented 1 year ago

C3 version: v7.0.0
D3 version: v5.0.0
Browser: Chrome
OS: Windows

Since Math.random could potentially return the same value twice and it is not cryptographically secure causing the insecure randomness when we scan the code in the fortify tool.

Please confirm if there is any future plan to remove Math.random and use cryptographically secure code for getting random values. just by using crypto API

const myArray = new Uint32Array(10);
crypto.getRandomValues(myArray);

redrawBarForSubchart: https://github.com/c3js/c3/blob/master/c3.esm.js#L12493
redrawLineForSubchart: https://github.com/c3js/c3/blob/master/c3.esm.js#L12526
redrawAreaForSubchart: https://github.com/c3js/c3/blob/master/c3.esm.js#L12562

kondalraodurgam commented 1 year ago

Facing same issue +1

netil commented 1 year ago

For those who are interested on, it has been applied to billboard.js

naver/billboard.js#3099

c3js / c3

Insecure Randomness for the useof Math.random() in redrawBarForSubchart, redrawLineForSubchart and redrawAreaForSubchart(security vulnerability) #2874