Math.random() may be served by a weak pseudo-random number generator without violating the ES5 spec. However, in the absence of any further restriction beyond the ES5 spec, this weakness would raise a security concern: module_loaders support the creation of separate global contexts to support isolation, much as browsers already attempt to do with separate frames and workers. However, if their
Math.random() functions share an underlying weak pseudo-random number generator, such that code in frame X can guess how many times code in other frames have called
Math.random() between two successive calls from frame X, then there is an unnecessary cross-frame information leak compromising this isolation.
One solution would be to require
Math.random() to generate cryptographically strong random numbers. However, our needs for a good source of randomness for crypto purposes still needs a better API, so making
Math.random() more expensive seems somewhat pointless. Instead, to repair this information leak, the post ES5 standard will require implementations to...
Math.random() random generators per global context (e.g., per browser frame), so the any predictability of numbers emitted within one context provides no information about random state in a different context.