Does including all these 3rd party javascript files impose a security risk?

Question

When you have all these various javascript files included on a page for various services like website analytics, click tracking etc., doesn't this create a huge security risk because using javascript they can hijack the persons credit card that is entered on the form?

How is this even considered to be safe currently?

Meaning, your server is security, your payment provider is secure, you have SSL, but if someone was to hack into any of these services people use (I see over 10+ services many sites use to track clicks, ad related, etc) then they can comprise your payment form.

Answer 1

Yes this is a security risk, known as a third party script include.

By including a script on your page hosted by a 3rd party, you are trusting that the external domain is not malicious nor compromised. By using a <script src="//example.com"> tag, the third party domain has full control of the DOM on your site. They can inject whatever JavaScript they wish.

You are right to be concerned. PageFair was recently compromised bringing down every site that it offered its analytics service to with it. You should verify all third party domains that you are referencing for script, and ensure you trust them. For example you are probably OK with the big guys such as Google and Facebook, however any others you should consider either dropping them or reviewing the script code and then hosting locally on your domain instead.

You can mitigate this with subresource integrity:

<script src="https://example.com/example-framework.js"
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
        crossorigin="anonymous"></script>

This will ask the browser to check that the loaded script has the specified cryptographic hash. Any changes to the script, even as much as a single character, would produce a completely different hash enabling any changes to be detected and the script would be rejected from loading and running. As of August 2018, all major browsers support it except for IE and iOS Safari.