[homescreen] Vulnerability analysis issues -Shortcuts.js

RESOLVED FIXED

Status

Firefox OS
Gaia::Everything.me
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: Carmen Jimenez Cabezas, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 years ago
We have run an automated vulnerability analysis on the Gaia code. 
After manually filtering the results we have found the following possible issues on the image-uploader app:

* everything.me/modules/Shortcuts/Shortcuts.js

On line 287 of Shortcuts.js the program uses insecure Randomness. Standard pseudo-random number generators cannot withstand cryptographic attacks

285
286 Evme.Shortcut = function() {
287 var _name = "Shortcut", _this = this, cfg = null, id = "id"+Math.round(Math.random()*10000),
288 $el = null, $thumb = null, index = -1, query = "", image = "",imageLoadingRetry = 0,
289 timeoutHold = null, removed = false,

The standard pseudorandom generator isn't good enough for anything that requires non predictability.
If this session is used to keeping track of a session at the server, a more robust generator should be used.
http://baagoe.org/en/w/index.php/Better_random_numbers_for_javascript
homescreen's everything.me/modules/Shortcuts/Shortcuts.js can be checked for a better way to implement this.
Component: Gaia::Homescreen → Gaia::Everything.me
(Reporter)

Comment 1

5 years ago
>> homescreen's everything.me/modules/Shortcuts/Shortcuts.js can be checked for a better way to implement this.

Sorry for the error. This should read "Calendar's js/ext/uuid.js can be checked for a better way to securely implement random number generation"
Depends on: 814659
same PR as here
https://bugzilla.mozilla.org/show_bug.cgi?id=814659
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.