3rd Party JavaScript…party

This post is coming directly from Considering 3rd party purchases and tools post— so see it for deeper dive into Threat Modeling product assessments by clicking here. This explanation is beefy enough to warrant it’s own post, so enjoy!

First — what are the risks with 3rd party products?

• Breaking changes: Not just by code injection, but another scenario is if your tooling depends on a CDN and it changes, it might break your site or cause an outage. Not all the problems are malicious by intent.
• Loss of control of your client product. Code injection like Cross Site Scripting compromising your site — could look like posting inflammatory content (defacement), installing cryptominers, keylogging or run code on customers’ computers.
• Adding JavaScript with a tag, CDN, or what have you, gives that code complete access to your domain. If that script goes bananas, say if they’re experiencing a hack — you’ve introduced it to your domain as well. Hello, supply chain attacks like this and this.
• Could leak sensitive information or identifiers to a third party, such as: Internal identifiers, HTTP headers, Customer IP addresses, or Customer behavior/profiling data.

The following sections can help you mitigate:

Direct JavaScript includes and CDNs

This looks like a <script> element added to the html directly in the header or body of a page.