Sub Resource Integrity Attribute Missing

The integrity attribute is missing on a script or link tag served by an external server. The integrity tag prevents an attacker who have gained access to this server from injecting a malicious content.

Without Subresource Integrity (SRI) protection, applications are vulnerable to supply chain attacks through compromised external resources. If an attacker gains control of a third-party CDN or script provider, they can inject malicious code that executes in the context of your application with full access to user data and sessions. This attack vector has been used in real-world breaches to steal credentials, inject cryptocurrency miners, and exfiltrate sensitive data from thousands of sites simultaneously.

Add integrity attributes to all script and link tags that load resources from external domains. Generate the cryptographic hash of the resource using SHA-256, SHA-384, or SHA-512 and include it in the integrity attribute along with a crossorigin attribute. For example: <script src="https://example.com/lib.js" integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" crossorigin="anonymous"></script>. Update hashes whenever external resources are updated.