Opened 9 years ago
Closed 8 years ago
#14669 closed New Feature (invalid)
Use window.crypto Instead of Math.random
Reported by: | patrick5080 | Owned by: | |
---|---|---|---|
Priority: | Normal | Milestone: | |
Component: | General | Version: | 4.5.4 |
Keywords: | Cc: |
Description
Hello, I have a request please. We are using HP Fortify for our code-base and Fortify reports security vulnerabilities in the ckeditor and lite-includes.js (and the jquery.min.js) files. The lite-includes.js and jquery.min.js files are located under the plugins/lite directory. Is it possible to replace Math.random method with window.cyrpto.random method as Fortify specifies this is a security vulnerability?
Thank you, patrick
Steps to reproduce
- View contents of ckeditor.js and lite-includes-min.js file (plugins/lite)
- Code is using Math.random() instead of window.crytpo.random()
Thank you for the report.
First of all I need to say that just because some program has reported something it doesn't mean its is right.
The program is absolutely right about random - http://stackoverflow.com/questions/5651789/is-math-random-cryptographically-secure. It is not secure.
The "crypto" https://developer.mozilla.org/en-US/docs/Web/API/Window/crypto seems to be supported by all modern browsers.
Based on that I have checked the code and here are my results:
Math.random
is used for generating random hashes to prevent caching on images etc. There is no absolutely security threat here.window.crypto
in the first place andMath.random() * 256 )
only when browser doesn't supportwindow.crypto
. This is correct approach because we also need to provide some level of support (a fallback solution) for old browsers. If you however look at the compatibility table you will see that it is very unlikely that someone will have such browser like IE6- or Opera 19-.To sum up - having few random functions for generating anti-cache hashes is not a security threat.