I have some data like UserId, tokenId, sessionId which i have to pass which every ajax call that used for validation /authentication/processing.
I stored that data in global JS object. So when user view source of page , this will visible to them.
According to penetration security team of my organisation , its security threat to show sensitive data like us UserId, tokenId, sessionId on viewing source.
How to store that data in js/browser that on viewing source it will not visible? How different approaches used by web development company to store data like userId? Storing this data in cookie or encryption will be performance hit as its heavily used.
tokenId is an CRSF token ID and sessionId is the session ID.
I'll have to answer this based on a lot of assumptions, but I'll update my answer if you edit your question and let me know.
What is UserId?
If this is a cleartext ID of the user then it could be a risk to your system.
e.g. if your admin account had ID 0 and then a malicious user set their UserId cookie to 0 - would this enable the malicious user to act admin?
You haven't said what tokenId or sessionId are either so it is difficult to comment further, but for the purposes of this answer I will assume that tokenId is an Anti-CRSF token and sessionId is the authentication session ID.
If this is the case, then UserId should not come from a cookie value or from a hidden field on your page - it should be derived server-side from sessionId and should come from whichever session the current user has authenticated with.
There is no inherent risk of displaying tokenId and sessionId in source if you have set the appropriate headers to disable public caching, but if these values are already available in cookies then there is no need to set them again in code. This smells of a potential business logic flaw as your AJAX request will be sending the values in two ways (request and cookie) - so make sure that you are only using one way to ensure all your logic is consistent.
So to summarise, the most "secure" place for session data is actually in cookies because they will not be cached outside of the cookie mechanism (such as within the source of cached pages). However, make sure that these cookies are only sent over HTTPS and are not available over the DOM by setting the Secure and HTTP Only flags.