Insecure Randomness

[Korysam15]

All,

In the rxjs package version 6.x under internal/symbol/rxSubscriber.js there exists the following code:

/** @deprecated do not use, this is no longer checked by RxJS internals */
export const rxSubscriber = (() =>
  typeof Symbol === 'function'
    ? Symbol('rxSubscriber')
    : '@@rxSubscriber_' + Math.random())();

/**
 * @deprecated use rxSubscriber instead
 */
export const $$rxSubscriber = rxSubscriber;

This is a security issue as the Math.random() call can be very predictable and is causing a Fortify scan of mine to return with high level security issues due to the above code. Would it be possible to get this swapped out for crypto.randomuuid() instead?

[benlesh]

What security risk does Fortify scan think this has? The concern is that someone is going to use Math.random prediction to create Subscriber and pass it to an Observable to what effect? This isn't used to create a unique id that is persisted or sent to a server. It's only used to create a unique property name that is completely etherial. There's no security hole here. You can ignore the error.

Alternatively, you could just create a fork and change that bit, or even monkey patch Math.random() with something that makes you happy within the confines of your app.