Insecure "unsafe-eval" directive in browser header for riskminder-client.js
search cancel

Insecure "unsafe-eval" directive in browser header for riskminder-client.js

book

Article ID: 260470

calendar_today

Updated On:

Products

CA Risk Authentication CA Advanced Authentication CA Advanced Authentication - Risk Authentication (RiskMinder / RiskFort)

Issue/Introduction

Insecure "unsafe-eval" directive used in browser header for riskminder-client.js The issue exists in the 9.1 SP3 (9.1.03). The hotfix to address this issue exists and can be requested via a Broadcom support case.  Refer to https://stackoverflow.com/questions/37155270/content-security-policy-csp-safe-usage-of-unsafe-eval. Essentially, usage of eval function is unsafe. Eval function in any application allows any user to execute arbitrary code.

Environment

Release : 9.1.x

Risk Authentication

Cause

'unsafe-eval'  directive when used allows the application to use the eval() JavaScript function. This directive leads to reduced protection against certain types of DOM-based XSS bugs. 

Resolution

Broadcom Engineering has removed this directive 'unsafe-eval' that allows an application to use the eval() JavaScript function. Essentially, not using 'unsafe-eval' disallows the eval()  to achieve a safer CSP (Content Safe Policy). Engineering has provided a newer version of riskminder-client.js that removes usage of 'unsafe-eval. 

To request this version of riskminder-client.js please file a support case and reference this KB article #260470. The name of zipped riskminder-client.js file to request via a support case is - Symantec-AdvAuth-9.1.03-DE554783-HotFix.zip. Also, kindly note 9.1 SP4 (9.1.04) to be released End of March 2023 will provide an updated riskminder-client.js as part of new client binaries that will be released then.

Additional Information

None.