SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Evangelist Fergal's Avatar
    Join Date
    Nov 2003
    Location
    Ireland
    Posts
    500
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Security risk from adding advertiser's JavaScript

    An advertiser would like to add the code below to my site, for privacy reasons I've removed the URL from the code.

    Code:
    <script src="http://[REMOVED]page.js"></script>
    Would adding that code be a security risk?

    If it is, is there anything I can do, besides not adding the code, to alleviate the risk?

    Many thanks!
    Fergal Crawley (Previous Username: Proudirish.com)
    Business Advice Forum - Webmaster and Business Forum
    < Get a free link & win $5,000
    Forum Coin New World Currency

  2. #2
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,825
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    The risk would depend on what that script contains. As an advertiser's script what it most likely contains is the code to add their edvertisement into your page and probably calls to a cookie to track who sees their ad. If that is all that their script contains (which is likely) then there is no risk to you in using it. People visiting your page can stop the script tracking them by disabling third party cookies and can stop the ad displaying at all using an ad blocker.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  3. #3
    SitePoint Wizard bronze trophy Jeff Mott's Avatar
    Join Date
    Jul 2009
    Posts
    1,276
    Mentioned
    18 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Fergal View Post
    Would adding that code be a security risk?
    Technically yes, it's a security risk. Allowing a third party to execute arbitrary JS means they could steal session cookies, which could allow them to log in, for example, as an admin. You're trusting that the advertiser's JS doesn't contain anything harmful, or that something harmful won't be inserted at some point in the future.

    I vaguely recall reading that you can protect against this by loading the third party JS in a frame. Your parent frame JS can invoke the third party code, but the third party JS can't escape it's frame. There may be more to it than that, and I may be mis-remembering as well, but that should give you something specific to research.
    "First make it work. Then make it better."

  4. #4
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,183
    Mentioned
    191 Post(s)
    Tagged
    2 Thread(s)
    As felgall said, if that's all the script does you should be OK.

    Ask yourself 2 questions.
    Do you have complete trust that the source won't ever do anything malicious?
    Do you have complete trust that the source site's security will prevent anyone from modifying the script file?

  5. #5
    SitePoint Evangelist Fergal's Avatar
    Join Date
    Nov 2003
    Location
    Ireland
    Posts
    500
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Thanks for your replies, that is very helpful.

    The script in question is hosted on Google's appspot.com, should that give me any reassurance? Just to clarify, I'm dealing with a third party, not with Google.

    Quote Originally Posted by Mittineague View Post
    ...Do you have complete trust that the source won't ever do anything malicious?
    Do you have complete trust that the source site's security will prevent anyone from modifying the script file?
    Those are great questions and have given me a lot to think about, thanks for that.
    Fergal Crawley (Previous Username: Proudirish.com)
    Business Advice Forum - Webmaster and Business Forum
    < Get a free link & win $5,000
    Forum Coin New World Currency

  6. #6
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,551
    Mentioned
    40 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Fergal View Post
    The script in question is hosted on Google's appspot.com, should that give me any reassurance?
    No, in fact I'd say that it would give me more doubt - all the big ad vendors (who you could trust) generally use their own hosting/cdn, so in effect you are dealing with a lesser known quantity that is outsourcing its hosting.

  7. #7
    SitePoint Evangelist Fergal's Avatar
    Join Date
    Nov 2003
    Location
    Ireland
    Posts
    500
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Thanks for your reply @EastCoast.

    I'm more than a little bit embarrassed to say this, but for the benefit of others who may be viewing this thread, I installed the code / script on my site and unfortunately it damaged some of the site templates. The code has now been removed and the major issues have been fixed (there are still some templates that need to be repaired). I don't believe that there was anything malicious involved, just that the developers didn't code or test the script as well as they thought they did.

    What I really should have done was test the script on a test site before letting it anywhere near the live site. The advice I received in this topic was excellent, but I made an error of judgement.

    Thanks everyone!
    Fergal Crawley (Previous Username: Proudirish.com)
    Business Advice Forum - Webmaster and Business Forum
    < Get a free link & win $5,000
    Forum Coin New World Currency


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •