crypto-js - Use of Weak Hash
tjcinnamon opened this issue · comments
Describe the issue
Please update crypto-js to: crypto-js@4.2.0
https://www.cve.org/CVERecord?id=CVE-2023-46233
Browser
Firefox
Browser Version
120
Extension Version
6.3.5
or more generally updating many of the libraries suggested via npm. Also, the js-crypto was was recommend by SNYK
Thanks for the issue. We will get to this after the holidays, currently very busy.
Thanks for the issue. We will get to this after the holidays, currently very busy.
no worries! I love this software and appreciate your time and effort.
@tjcinnamon could you describe how this CVE affects us (outside of being bad practice)? We use argon2-browser for our password hashing. To my knowledge we don't use cryptojs pbkdf2 anywhere in the extension.
I'm happy that we aren't affected by this. To be clear, we do use crypto-js, but just for random values and AES encryption and decryption. e.g.:
Authenticator/src/store/Accounts.ts
Line 221 in d1bae1d