The problem with Math.random is that if you have enough samples, you can predict the next outcome of the function or even recover the seed and know the whole sequence. On practice it means that if the server respond to your request with the result of this function, you can try to exploit it. But if someone ran it on their computer for their own use, you most likely won't be able to do anything. It doesn't have some sort of bug that it generates values only in a narrow range, or makes a statis output like all zeroes or some other values.