robbah
commented
5 years ago I fixed this in my local environment, but i can't commit this unfortunaly due restrictions. This code should be implemented at line 33.
// More secure implementation of math.random() var random = window.crypto.getRandomValues(new Uint32Array(1))[0] / 4294967295;
// defining random character index index = Math.floor(random * (charset.length));
The passwords are generated using Math.random(), which isn't a cryptographically-secure source of random numbers (at least not in most browsers). The problem here is that the passwords this library generates will be easier to predict/guess than passwords that are generated properly, and it might even be possible for a website open in a different tab to steal Math.random()'s state to learn the passwords being generated on a different website in a different tab (I'm not sure about this).
You'll want to use this: https://developer.mozilla.org/en-US/docs/Web/API/RandomSource/getRandomValues