If an attacker observes two or three consecutive outputs of Math.random(), they can reverse-engineer the internal state of the generator and predict all future (and past) values with 100% accuracy. This has been demonstrated in multiple research projects and open-source tools.

Despite its quality, xorshift128+ is not cryptographically secure. For security-sensitive applications, use crypto.getRandomValues() instead

https://www.reddit.com/r/AskProgramming/comments/1qt1n0i/comment/o2ziocg/