My guess the hardware was not actually airgrapped.
But out of curiosity :
Which browser have you used ?
I had a quick look at securerandom.js (I did not inspect it throughly) :
It relies on the Web Crypto API (which is supported in all modern versions of browser), but if it is not supported it will fallback to Math.random() and/or ArcFour.
Both are not cryptographically secure - it is non-cryptographic pseudo-random number generator (PRNG). I believe there is even a comment in the code about PRNG.