On 10 Apr 2018, at 00:39, m...@musalbas.com wrote:
> The original disclosure didn't contain any information about the library
> in question, so I did some digging.
>
> I think that the vulnerability disclosure is referring to a pre-2013
> version of jsbn, a JavaScript crypto library. Before it
>> Note that even with v1.4, it still does not use high-quality entropy for
>> Internet Explorer, because getRandomValues is provided under window.msCrypto
>> for that browser.
>
> I don't know for that one, what was the issue?
I simply meant that Internet Explorer implements the Web Cryptography
These issues all stem from the RC4-based RNG implementation (with insecure
fallback entropy) in Tom Wu's jsbn library, published here:
http://www-cs-students.stanford.edu/~tjw/jsbn/
Please refer to Tom Wu's URL, or this more up-to-date fork of Tom Wu's code
(published to NPM):
