Crypto recovery firm Unciphered published their research on a vulnerability affecting browser-based cryptocurrency wallets.

In a blog post on Tuesday, the firm said the vulnerability, which it dubs “Randstorm,” stems from the SecureRandom() function found in the JBSN javascript library and weaknesses in browser implementations of the Math.random() function. 

This particular library was utilized by BitcoinJS wallets that were in use between 2011 and 2015, but Unciphered noted that it was difficult to pinpoint the exact time frame.

‘We can confirm that this vulnerability is exploitable, however, the amount of work necessary to exploit wallets varies significantly and, in general, considerably increases over time,” said researchers at the firm.

“That is to say, as a rule, impacted wallets generated in 2014 are substantially more difficult to attack than impacted wallets generated in 2012.”

Based on these estimates, the number of wallets at risk is in the millions, and the value at risk is over $1 billion. Unciphered said it is in the process of coordinating disclosures to the relevant parties to alert affected users to shift funds to a new wallet.

The firm claims to have discovered the vulnerability when trying to recover funds for a customer who was locked out of Blockchain.com. However, the researchers said they have refrained from sharing more information related to it as they would run the risk of giving bad actors the ammo to carry out an attack. 

“Bad guys are no doubt already at work trying to create their own proof of concept so they can recreate and implement the attack we found. But we’re hoping that controlling some of the details will make it hard for them and give the honest owners a head start,” said the researchers.