Math.random() function is not a cryptographically-secure random number generator

Description

I am using jQuery in my project, Here i have one restriction i cannot use Math.random(). If Math.random() is present in our code, code will be rejected. they say JavaScript's Math.random() function is not a cryptographically-secure random number generator. So i am using

function getRandom() {
        if ( "crypto" in window && "getRandomValues" in window.crypto ) {
            return crypto.getRandomValues( new Uint32Array( 1 ) )[ 0 ];
        }
        if ( "msCrypto" in window && "getRandomValues" in window.msCrypto ) {
            return msCrypto.getRandomValues( new Uint32Array( 1 ) )[ 0 ];
        }
    }

When making a build when combining js libraries. I am getting Math.random() from jQuery library.

Can we get rid of Math.random()?

Author: Fantashit

1 thought on “Math.random() function is not a cryptographically-secure random number generator

  1. See #3136. Not every use of Math.random() has to be cryptographically secure so if a tool is rejecting that in all cases, I’d say it’s too restrictive. In this case we don’t need the result to be really that random and changing the code would make it much larger at the cost of all users of the library.

    Besides, even if we used those more secure APIs we’d still need to fallback to Math.random() for browsers that don’t implement them so we’d still have it in the code and it would still not pass the check done by your tool. I don’t think we can do anything here.

Comments are closed.