Third-Party Scripts on Websites Present a Broad & Open Attack Vector

Nearly half of the worlds largest websites use externally generated JavaScript that makes them ripe targets for cyberattackers interested in stealing data, skimming credit cards, and executing other malicious actions.

Many organizations may be significantly more vulnerable to risks from third-party JavaScript in their websites than they think.
New analysis from Source Defense finds there to be a
high prevalence of third-party (and even fourth-party) scripts
on most websites — which is concerning because of the relative ease with which they could be used to sneak in malicious code.
Typically, when a webpage calls a third-party script, it is loaded directly into a browser from an external server belonging to the third party. This means the script bypasses controls such as perimeter and Web application firewalls and network monitoring tools, according to the security vendor. The process gives threat actors a way to introduce malicious code into the environment via third-party scripts. The problem is exacerbated by the fact that developers of third-party scripts often include code from other developers that in many cases have sourced code from another developer, Source Defense said.
Yet most organizations use third-party scripts for integrating shopping carts, dynamic forms, processing orders and payments, presenting social media buttons, visitor tracking, and a variety of other functions. The scripts are readily available — often for free — from numerous sources, including open source organizations, social media companies, cloud providers, advertising networks, and content delivery networks, the Source Defense report says.
In an analysis of 4,300 of the worlds largest websites, the firm found that each site had 15 externally generated scripts on average — with an average of 12 of them on sensitive pages, such as those for collecting user information or for processing orders and payments. Nearly half (49%) of the websites in Source Defenses study had external code with functionality for retrieving form input and monitoring users button clicks. More than 20% had external code that could modify forms. Most sites had multiple scripts on every single webpage.
Source Defense found that websites belonging to organizations in some sectors had a substantially higher than average number of third-party scripts than others. Financial services websites, for instance, had an average of 19 scripts on sensitive pages, or 60% more than the average across all sectors. Healthcare organizations had 15 of them on average.
Adversaries remain hyper-focused on data theft from websites that conduct transactions or capture sensitive data, says Hadar Blutrich, CTO and co-founder of Source Defense.
In recent years, there have been numerous incidents where attackers have manipulated or used third-party scripts to steal user and payment card data, to redirect users to malicious sites, log keystrokes, and carry out a variety of other malicious activity. One well-known example is Magecart, a hacker collective that over the years has pilfered data on hundreds of millions of payment cards by
sneaking card-skimming software
into third-party scripts on retail websites.
Such attacks can have big consequences for businesses. For example, in one incident in 2018, Magecart hackers sneaked a few lines of code into a British Airways website page that ended up
exposing personal data
belonging to some 380,000 customers. The airline was later hit was a massive fine of more than $200 million over the incident.
The attack vector remains broad and open for even the worlds largest sites, and the risk of significant material loss is quite real, Blutrich says.
To compromise third-party scripts, threat actors sometimes infiltrate public code repositories, he notes. In other instances, they identify organizations that have large networks of clients and compromise scripts from those organizations to perpetrate one-to-many attacks, he says. As one example, Blutrich points to an attack earlier this year in which
over 100 sites related to real estate were compromised
after an attack planted malware in a cloud-video component on a site belonging to Sothebys real-estate arm.
The maturity of enterprise processes for mitigating risk from third- and fourth-party scripts tends to vary, Blutrich notes. In some instances, theres no oversight: Digital and marketing teams act on their own to implement new website functionality and engage with third parties, without involving the enterprise security team.
However, in more mature cases, weve heard of script councils being in place where digital must work with security/compliance to vet and approve any supply chain partners, he says.
Regardless of the internal processes for approval, more must be done for managing and securing the script, Blutrich says. Once on the site, even if approved, benign changes from the partners themselves may jeopardize compliance and, obviously, malicious changes from threat actors can lead to major data theft and fraud concerns.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Third-Party Scripts on Websites Present a Broad & Open Attack Vector