Insecure "unsafe-eval" directive used in browser header for riskminder-client.js is a client side issue if the riskminder-client.js uses eval() and Function().

The hotfix to address this issue exists and can be requested via a Broadcom support case. 

Refer to below document for more details:

Content Security Policy (CSP) - safe usage of unsafe-eval?

Essentially, usage of eval function and Function function is unsafe.

Such functions in any application allow any user to execute arbitrary code.

Release : 9.1.x

Component: CA Risk Authentication (formarly Risk Minder)

'unsafe-eval' directive when used allows the application to use the eval() and Function() JavaScript function.

This directive leads to reduced protection for riskminder-client.js against certain types of DOM-based XSS attacks. 

Our recommendation is to use the latest version of riskminder-client.js from support portal under clients package to achieve a safer CSP (Content Safe Policy).

From product, we are not supporting CSP in AFM jsp pages.