- As discovered by security researcher Randy Westergren, many major tracking scripts don’t sanitize their data properly. This allows hackers to inject any code that they want, including one that can steal credit card information.
- A lot of “freemium” web services have been known to surreptitiously track user data and sell it to advertisers.
- Scripts that contain non-HTTPS domains can trigger warnings for users on secure pages. They can also make personal user data more readily accessible to attackers.
- A third-party script can change at any time. This means that even after a code review, there’s no guarantee the script is doing what it says it does.
If we run http://nytimes.com through PageSpeed Insights, this is what we get:
- Only send the code that your users need.
- Minify your code.
- Compress your code.
- Remove unused code.
- Cache your code to reduce network trips.
Best Practices for Publishers
Publishers typically don’t have much control over third-party JS. But there are things they can do to ensure that their site and users are protected.
AdPushup is an ad revenue optimization platform, we help publishers increase their ad revenue by using ad layout optimization, header bidding, ad mediation, adblock recovery, innovative ad formats, and AMP. We are a Microsoft Ventures funded startup, a Google NPM AdX Partner, and winner of NASSCOM Emerge 50 award for innovation. You can request a demo here.