0

It is well-known that third-party JavaScript inclusion is risky, I wonder what actual damage can be caused if the third-party script is malicious. Of course the script can cause as much damage as possible to its own DOM, other than that, can it affect other DOMs, can it cause any damage to the browser or the host computer?

SamTest
  • 685
  • 5
  • 10
  • 1
    It depends on which browser, which version, up to date or not, whether the attacker has knowledge of bugs ... – curiousguy Dec 17 '19 at 06:11

2 Answers2

4

Perhaps the most prolific recent attack involving compromised scripts hosted by third-party servers is Magecart, which targeted scripts for Magento. This attack compromised thousands of sites, including British Airways and Ticketmaster, and others. It was used to steal credit card information of hundreds of thousands of users of these sites. See https://www.csoonline.com/article/3400381/what-is-magecart-how-this-hacker-group-steals-payment-card-data.html for more info.

The attackers launched the attack by modifying javascript scripts hosted on third-party sites (such as Github and various CDN's) that the victim sites incorporated into their own sites.

Preventing this attack is rather simple. This is exactly the type of attack that Subresource Integrity is designed to defend against.

mti2935
  • 21,098
  • 2
  • 47
  • 66
3

Of course the script can cause as much damage as possible to its own DOM

The script has no "own DOM". The document where it is included has a DOM and the third-party script has full access to it, which means it can manipulate the document, extract information from the document, impersonate the user etc - see also Should I be worried of tracking domains on a banking website?.

... can it affect other DOMs

The script behaves like a self-origin script regarding separation of DOM between frames, tabs or windows. That means it is restricted by the same origin policy, but the origin is the document where it is included and not the site from where the cross-origin was loaded from. This specifically means that it can access and manipulate the contents of iframes in the current document which habe the same origin as the document. The script can also issue cross-window or cross-frame communication and in this case it will also be treated as having the origin of the document where it was included and not the site where it was loaded from.

... can it cause any damage to the browser or the host computer?

Nothing in the web browser has usually enough access to do such damage. Of course, of the document has access to camera, microphone, USB devices (which might control external hardware) or is excluded from popup protections then the included script can use all of this too because it is treated no different from a same-origin script.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434