The Blessing and Curse of First and Third-Party JavaScript
April 01, 2024

Rui Ribeiro
Jscrambler

The web as we know it today didn't evolve overnight. It began with TCP/IP, followed by HTML, the browser, and, last but certainly not least, Javascript. Now, Javascript, one of the foundational technologies for the World Wide Web, is fueling a massive shift towards client-side innovation by digital businesses of all sizes and industries worldwide.

This client-side innovation is being aided significantly by JavaScript frameworks which allow teams to rapidly develop superior online experiences. However, this required businesses to invest in encapsulating and exposing back-end functionality as open APIs, which enabled fast-paced client-side development in these frameworks, utilizing the APIs exposed by their back-end developers for front-end consumption.

Flash forward to the present day, and digital marketing and business teams are enhancing online experiences by tapping into thousands of third-party digital solutions (AB testing, analytics, advertising, retargeting, online payment, CDPs, social media, etc.) that can be seamlessly integrated into any webpage. This launched what we like to call the "bring your own tag" era, where Javascript, including modern Tag Management Systems as well as pixels, are accelerating this shift, making it easy to deploy, test, and integrate third-party solutions.

These developments have been a blessing for businesses looking to develop and roll out new cutting-edge digital experiences. Today, more than 98% of websites around the world use JavaScript as their go-to client-side coding language. But this use introduces challenges — today the average web page has more than 60 third-party scripts that are unmonitored and have uncontrolled access to forms and data anywhere on the page.

Here are four examples of challenges businesses are facing as a result.

1. New Security Threats

Client-side digital innovation has introduced a new wave of security threats that tie back to one thing: JavaScript can be easily viewed and also manipulated, in any web browser. It should not come as a shock that this is creating vulnerabilities that malicious actors can exploit. For example, hackers can tamper with a website's JavaScript to modify its behavior, stealing sensitive information like credit card details or valuable content such as streaming audio or video files. Hackers are using first- and third-party scripts as anchor points for their attacks. As a result, growing numbers of businesses are getting caught in the crosshairs of credit card skimming and Magecart attacks.

There's also a rising tide of supply-chain attacks. Gartner predicts that by 2025, 45% of organizations worldwide will experience attacks on their software supply chains. In these instances, malicious actors compromise third-party website add-ons, also known as tags, that are integrated into websites or applications. Once compromised, all downstream users suddenly face the risk of data theft.

As businesses become increasingly reliant on client-side JavaScript development, JavaScript's weaknesses and client-side blindspots are being increasingly exploited. This trend will only intensify, with AI now powering a new generation of attacks, making them more sophisticated, insidious, and more complex to detect than ever before.

2. New Risks of Data Leakage

Online "partners," the third-party JavaScript solutions you implement on your web pages, also feast on the data collected from client-side interactions. Why? Because their AI-powered products are insatiable. They are doing so without asking, and it gets worse. This is not just any data. It's yours. It's your customers' data, which all parties thought was private, secure, and protected. Now, many are discovering that it is being consumed, used, and processed in most cases without your explicit permission.

3. New Compliance Challenges

The universal usage of first- and third-party JavaScript isn't just a trend; it's creating a perilously exposed client-side environment. The Payment Card Industry Security Standards Council (PCI SSC) provides specific guidelines that require merchants to maintain visibility, risk management capabilities, and control over how JavaScript is used on their payment pages. Their objective is to stop Web skimming, but they are increasingly focusing on avoiding data leakage. The Council recently introduced PCI DSS v4.0, which is an updated set of guidelines and requirements to ensure that cardholder data is handled, stored and transmitted securely during payment card transactions and includes specific rules for how JavaScript is used on payment pages.

4. Existing Tools Fall Short: The Case for Client-Side Protection

Shifting away from JavaScript and third-party add-ons is not an option. It speeds up development and allows companies to use best-of-breed solutions to enhance the user experience.

Some companies are leveraging browser capabilities like Content Security Policy (CSP) and Sub-Resource Integrity (SRI) which provide layers of security but are not sufficient for comprehensive client-side JavaScript protection. This is especially the case with first- and third-party JavaScript. They fall short when third-party scripts are updated two, three, or four times per week. They rely heavily on manual policy updates to keep up the vendor changes and often "fail-closed," meaning they block unrecognized changes. This inflexibility can cause issues, especially on payment pages where any blocked resource can prevent transactions from going through. They must be complemented with more advanced and automated solutions capable of monitoring and managing script behavior and integrity in real-time. This is where client-side protection and compliance solutions can help.

Some features that address these challenges I've outlined above include:

Advanced Javascript Obfuscation + Runtime Defense: Javascript protection that leverages advanced Javascript Obfuscation combined with runtime defenses can help ensure a given JavaScript has not been tampered with. Also, consider a platform that supports environmental checks like browser and device checks and the ability to trigger locking of the code when security threats are identified.

Fine-Grained Third-Party Tag Control: Another element to look for is control. More specifically, it is important to gain fine-grained control over the behavior and data consumption of all third-party tags' JavaScript across the entire business, to rapidly cover all website pages, and to identify all third-party tags. Some additional elements that can be valuable include intuitive reports detailing the risks associated with each script, the ability to facilitate the approval of new third-party website add-ons and define detailed controls over the data accessible to each script as well as dashboards that allow teams to continually monitor all third-party vendors' activities.

Expertise: The chosen vendor should provide full customer support at every step. Clients will need help choosing the right first-party JavaScript obfuscation techniques for their needs. For third-party tags, skilled consultants should be available to guide them in setting up the best risk mitigation strategies, including suitable data fencing tactics. And then the question of management will surely arise. The most sophisticated vendors will be able to manage as well.

These are just a few areas vital to regaining control of first- and third-party JavaScript environments, and as you begin your journey, there will be many others to consider. In the end, the key is finding one that can work with your existing solutions while allowing your business to maintain its commitment to client-side innovation while providing the freedom to do so securely.

Rui Ribeiro is CEO and Co-Founder of Jscrambler
Share this

Industry News

April 11, 2024

Check Point® Software Technologies Ltd. announced new email security features that enhance its Check Point Harmony Email & Collaboration portfolio: Patented unified quarantine, DMARC monitoring, archiving, and Smart Banners.

April 11, 2024

Automation Anywhere announced an expanded partnership with Google Cloud to leverage the combined power of generative AI and its own specialized, generative AI automation models to give companies a powerful solution to optimize and transform their business.

April 11, 2024

Jetic announced the release of Jetlets, a low-code and no-code block template, that allows users to easily build any technically advanced integration use case, typically not covered by alternative integration platforms.

April 10, 2024

Progress announced new powerful capabilities and enhancements in the latest release of Progress® Sitefinity®.

April 10, 2024

Buildkite signed a multi-year strategic collaboration agreement (SCA) with Amazon Web Services (AWS), the world's most comprehensive and broadly adopted cloud, to accelerate delivery of cloud-native applications across multiple industries, including digital native, financial services, retail or any enterprise undergoing digital transformation.

April 10, 2024

AppViewX announced new functionality in the AppViewX CERT+ certificate lifecycle management automation product that helps organizations prepare for Google’s proposed 90-day TLS certificate validity policy.

April 09, 2024

Rocket Software is addressing the growing demand for integrated security, compliance, and automation in software development with its latest release of Rocket® DevOps, formerly known as Aldon®.

April 09, 2024

Wind River announced the latest release of Wind River Studio Developer, an edge-to-cloud DevSecOps platform that accelerates development, deployment, and operation of mission-critical systems.

April 09, 2024

appCD announced its generative infrastructure from code solution now supports Azure Kubernetes Service (AKS).

April 09, 2024

Synopsys announced the availability of Black Duck® Supply Chain Edition, a new software composition analysis (SCA) offering that enables organizations to mitigate upstream risk in their software supply chains.

April 09, 2024

DataStax announced innovative integrations with API extensions to Google Cloud’s Vertex AI Extension and Vertex AI Search, offering developers an easier time leveraging their own data.

April 08, 2024

Parasoft introduced C/C++test CT, a comprehensive solution tailored for large teams engaged in the development of safety- and security-critical C and C++ products.

April 08, 2024

Endor Labs announced a strategic partnership with GuidePoint Security.

April 08, 2024

Hasura announced the V3 of its platform, providing on-demand API composability with a new domain-centric supergraph modeling framework, a distributed supergraph execution engine and a rich and extensible ecosystem of open source connectors to address the challenges faced during integration of data and APIs.

April 04, 2024

DataStax has entered into a definitive agreement to acquire AI startup, Logspace, the creators of Langflow, an open source visual framework for building retrieval-augmented generation (RAG) applications.1