Third-party Javascript considered harmful. Use SRI!

https://developer.mozilla.org/en-US/docs/Web/Security/Subres...

Another in the growing line of supply chain attacks. It's inevitable that as primary sites improve their security, attackers will seek to exploit other elements in the chain that might present easier targets.

Given the number of 3rd party JavaScript files that commonly get loaded for things like tracking and analytics, it seems likely we'll see more of these kinds of sites getting targeted.

Only 100 sites impacted: https://publicwww.com/websites/%22d20iczrsxk7wft.cloudfront....

Appears these seals have died out.

Glad to see they're dying out, they really did seem to me like an example of Security Theatre.

These particular ones are $29.95/month, and don't appear to include any sort of scanning, verification, etc. So there's not even a "theater level" attempt to relate to security.

I use dnscrypt and log all my DNS queries, I'm pretty relieved to see that I've never looked up the domain used to exfiltrate the data! Gist of the unobfuscated code is here: https://gist.github.com/gwillem/4403a9caf6877d6276cf6fe834a0...

Trust seals are easily faked and train users to trust in band signaling (eg images of locks etc to mimic HTTPS, logos etc) instead of paying attention to the URL bar.

They should be considered harmful with or without malicious javascript.

Isn't it ironic, dontcha think?