Replace Math.random() for something more secure

[PiiXiieeS]

Using pseudorandom number generators (PRNGs) is security-sensitive. For example, it has led in the past to the following vulnerabilities:

• CVE-2013-6386
• CVE-2006-3419
• CVE-2008-4102
  When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information.

As the Math.random() function relies on a weak pseudorandom number generator, this function should not be used for security-critical applications or for protecting sensitive data. In such context, a cryptographically strong pseudorandom number generator (CSPRNG) should be used instead.

Alternative solution

const crypto = window.crypto || window.msCrypto;
var array = new Uint32Array(1);
crypto.getRandomValues(array); // Compliant for security-sensitive use cases

[crookedneighbor]

Thanks for the issue. Would you like to open a PR?

The security implications are not a concern for Braintree's use case, in most cases it's simply a unique id we generate for logging or to facilitate messaging between a page and iframes on the page, nothing that someone guessing the unique id would be able to take advantage of.

However, I can see someone attempting to use this module in their project that would require it to be more secure and not realizing that the module, as is, does not meet their needs. So happy to have this implemented.

If you do not want to open a PR, we'll tackle this as part of our work for the next major version in our web SDK.

[PiiXiieeS]

Hi @crookedneighbor
I did open a PR, hope it helps: #2