Insecure "unsafe-eval" directive in browser header for riskminder-client.js
search cancel

Insecure "unsafe-eval" directive in browser header for riskminder-client.js

book

Article ID: 260470

calendar_today

Updated On:

Products

CA Risk Authentication CA Advanced Authentication CA Advanced Authentication - Risk Authentication (RiskMinder / RiskFort)

Issue/Introduction

Insecure "unsafe-eval" directive used in browser header for riskminder-client.js The is a client side issue if the riskminder-client.js uses eval() and Function(). The hotfix to address this issue exists and can be requested via a Broadcom support case.  Refer to https://stackoverflow.com/questions/37155270/content-security-policy-csp-safe-usage-of-unsafe-eval. Essentially, usage of eval function and Function function is unsafe. Such functions in any application allow any user to execute arbitrary code.

Environment

Release : 9.1.x

Risk Authentication

Cause

'unsafe-eval'  directive when used allows the application to use the eval() and Function() JavaScript function. This directive leads to reduced protection for riskminder-client.js against certain types of DOM-based XSS attacks. 

Resolution

Our recommendation is to use the latest version of riskminder-client.js from 9.1 SP4 client package (AdvancedAuthenticationClientPackage-9.1.04.zip -> ca-devicedna-javascript-client-2.2.zip) to achieve a safer CSP (Content Safe Policy).