Jake Archibald writes in his blog about the bigger problem presented by importing third-party content into web pages. Even CSS is a problem as a CSS keylogger demo showed the other day.
A few days ago there was a lot of chatter about a 'keylogger' built in CSS.
Some folks called for browsers to 'fix' it. Some folks dug a bit deeper and saw that it only affected sites built in React-like frameworks, and pointed the finger at React. But the real problem is thinking that third party content is 'safe'.
While most are acutely aware, yet ignore, the danger presentd by third-party javascript and javascript in general, most forget about CSS. Jake reminds us and walks through quite a few exampled of how CSS can be misused by third-parties exporting it.
Source : Third party CSS is not safe
(Score: 2) by canopic jug on Thursday March 01 2018, @06:08AM
Or they could just do ads without infecting viewers with javascript. There's no technical reasons that the ads could not be plain PNG, JPEG, or GIF. I'm not sure about APNG but maybe that too. On the other hand there are many reasons not to include scripts, especially from the viewpoint of those targeted to receive said scripts. There is now even a word for the malware that spreads through the advertisements, malvertising [wired.com], and it's not a new thing either.
Brendan Eich, who developed javascript, himself even says you should block javascript used for 3rd party trackers, fingerprinting, and ads. Though that is said as part of his promotion of his new browser, Brave [brave.com].
Money is not free speech. Elections should not be auctions.