By DeepSource

Audit: Found insecure randomness in initialization of sensitive data JS-A1000

Numbers generated by Math.random are not cryptographically secure. When using random numbers in security sensitive contexts, it is recommended to go with cryptographically secure sources of randomness.

Found potentially unsafe deserialization JS-S1000

Unsafe deserialization can be vulnerable to many attacks such as denial-of-service, access control, and remote code execution (RCE). Applications and APIs will be vulnerable if they deserialize hostile or tampered objects supplied by an attacker.

This can result in two primary types of attacks:

  • Object and data structure-related attacks where the attacker modifies application logic or achieves arbitrary remote code execution if there are classes available to the application that can change behavior during or after deserialization.
  • Typical data tampering attacks such as access-control-related attacks where existing data structures are used but the content is changed.

It is recommended to avoid using deserialization. To prevent using deserialization, it is always better not to accept serialized data from untrusted sources or to use serialization mediums that only permit primitive data types.

Insecure web security preferences found in Electron JS-S1015

Setting webSecurity property to false, or allowRunningInsecureContent to true in an Electron renderer process like BrowserWindow or BrowserView disables crucial security features. By default, the webSecurity property is always true and the allowRunningInsecureContent property is always false.