Randy Westergren writes:
Any time we allow 3rd party scripts to run on our sites, we effectively relinquish control of the code that executes on the client. This is particularly important when integrating ad network scripts since they are inherently more dynamic than most other types of integrations, the cause of which is the ad industry’s general fragmented nature.
Randy details the vulnerability and lists high profile vulnerable sites including The Telegraph, NYPost, CBS News, NBC News, NYTimes, MSN, Washington Post and the BBC.
It’s always surprised me that publishers are so willing for third-party scripts to be served to their customers over the RTB exchanges without any real quality control tools. Even guaranteed advertising presents quality control challenges for publishers who are limited to sampling the responses of agency ad tags, rather than being able to examine the underlying creative or tracking scripts directly or be notified of changes being made by the buyer.
Given vast coverage of advertising across the web and their vulnerability to XSS attacks, it is surprising so few have attacks have been documented. Yet another reason to run an ad blocker, despite the financial hurt they cause to publishers.