1

After running Fortify Security Report we are getting standard pseudorandom number generators cannot withstand cryptographic attacks in jquery.js,bootstrap.js,highchart.js main library files for math.random() function. I m thinking that change in math.random() function in library files but this is not solution to change directly in main library file. Please suggest any changes not getting Standard pseudorandom number generators cannot withstand cryptographic attacks.

B Developer2
  • 49
  • 2
  • 9
  • Why do you need to cryptographically secure view-layer libraries? – Oliver Sep 08 '17 at 10:58
  • when we run again Fortify Security Report not coming this message again. and in this report raise issue in all main library files like jquery.js,bootstrap.js for math.random function – B Developer2 Sep 08 '17 at 11:07

2 Answers2

1

Math.random() isn't a part of jQuery. It's a part of the browser's standard Javascript library. so I think, that the random number generator "Math.random()" used in jQuery cannot withstand the cryptographic attack and in this case, we don't need the result to be really that random and changing the code would make it much larger at the cost of all users of the library.

Dhaval Rajpara
  • 133
  • 9
0

As mentioned in Dhaval's answer (https://stackoverflow.com/a/46502229/1981358) you may not need cryptographically secure randomness in your library. You will need to investigate each library, but it is likely the question has been asked. For instance from the jQuery forums:

You are not the first person to get these false warnings from fortify.

Take it up with them.

As far as determining if your JS library actually has security issues, I'd recommend regular checking on synk. Here is the link for their list of jQuery versions and their vulnerabilities: https://snyk.io/vuln/npm:jquery

(You can use the Chrome Dev Tools Audit to get a list of the front-end JS libraries with known security vulnerabilities a page is using and links to the relevant synk page.)

If you have determined your JS library does not need cryptographically secure randomness, use the Fortify SSC to mark as Not an Issue.

If you actually do need cryptographically secure randomness, the answers to this question (and the linked questions) provide some options: Is Math.random() cryptographically secure?

peater
  • 1,233
  • 15
  • 20