Browser side private key generation security?

How safe are the keys that are generated browser side from theft? I have concerns about securing multi-sig funds with keys that are generated in the browser using the bitcore-lib javascript library.

In my angular.js application, I use and create several multi-sig addresses. All of the addresses are 2 of 3 addresses. My current security model is to only store one of the three private keys in a database. The other two keys are only generated client side when someone enters a seed or generates a new seed.

Is this “safe”? I know in this space pretty much everything is safe until it isn’t anymore. I want to make sure I take all proper precautions when it comes to securing my users’ money. Is there a way that hardware wallets could be used together with the bitcore browser library to give some added security and possibly sign transaction offline?

Any and all opinions are welcomed.