The short answer is NO. There is no major client side security vulnerability with using eval statements.

Hosting

I assume you are pulling our library from the CDN? Here are my thoughts on what you should do:

You should copy the library to a local environment to avoid us changing ZingChart versions on you.  CSP (content-security-policy) is irrelevant if you are gonna hotlink to our CDN, in that we are no stricter than you are.  If you are self hosted then you can of course configure the header as you like for the override.  As long as you trust the script itself, there is nothing to worry about with an eval() and CSP because you are assuming someone has local access to inject anyway.

Eval

We use eval because it provides a higher level of obfuscation and compression. Using an eval has no side effects worse than anything else an end user could do on the client. setTimeout , setInterval  are eval() with timers so if don't like eval, don't like those either. Are those popping up as security concerns? We don't intend to change this immediately for version 2.x.x anytime soon.

Did this answer your question?