Cross-Domain JavaScript Source File Inclusion

This detector identifies pages that load JavaScript files from external third-party domains, including content delivery networks, analytics providers, or other external sources. It flags any script tag with a src attribute pointing to a domain different from the application’s own domain.

Loading scripts from third-party domains grants those domains complete control over the application’s execution context and access to all user data on the page. If an external script source is compromised through supply chain attacks, DNS hijacking, or account takeover, attackers can inject malicious code that executes with full privileges in the user’s browser. This enables stealing authentication tokens, capturing user input including credentials, performing actions on behalf of users, or defacing the application. Even trusted third parties can become attack vectors if their infrastructure is compromised or if they are acquired by malicious actors.

Ensure JavaScript source files are loaded from only trusted sources, and the sources can’t be controlled by end users of the application.