2

I used a web vulnerability scanner to scan my web site. It indicates several links with "Cross domain Java script source file inclusion."

May I know how would an attacker exploit this type of vulnerability, exactly? For example, the JS in question comes from addthis.com (share buttons etc). For this exploit to work, attacker have to exploit addthis.com, change their addthis.js and then some how when my users browse my website, this modified addthis.js will be executed on my client browser PC? Am I even on the right track?

If I wish to do remediation, what is the correct approach? Download the external domain JS to our side and run from our webserver? What other better and safe approach could there be? thanks

dorothy
  • 715
  • 1
  • 7
  • 18

1 Answers1

6

Yes, all your assumptions are correct there.

As you are including content from addthis.com, your client-side Origin is fully trusting this domain. If there was any compromise to addthis.com, or if addthis.com decided to change the script to do something more invasive then your site would be vulnerable.

For example, addthis.com may suddenly decide they want to collect data from end-users of their script, and this data might include cookies, and HTML5 storage data. By including the script on their domain you are allowing them to make these changes without agreement from you.

Yes, downloading the file and hosting from your own domain is the safe approach. Bear in mind however that you still need to trust the actual code to do what you're expecting and only what you're expecting. So it might be worth while manually auditing the code and doing any operations such as minification yourself.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
  • It's worth noting that the drawback you'll face as a trade-off for enhanced security is that you'll have to update your JS references manually any time a new version is released, rather than it always picking up the newest version from the author. But yes, this is the better way to go about it. – AlexH Mar 04 '15 at 11:11