External Resources

A resource, e.g. JavaScript or CSS, is loaded from an external domain.

What can happen?

There are two main problems with external resources:

1. The resource could change

The owner of the external domain can change the content of the resource whenever they want, affecting the site the resource is included on. The resource does not need to be changed by the resource owner, the same problem would occur if they were hacked.

2. Shared resource, shared vulnerabilities

When a JavaScript file is included, not only is all functionality inherited, so are the vulnerabilities in the script. Hackers do not need to target a specific site - if they find a vulnerability in a popular external resource, it is possible to attack everyone who uses it.

This also means that if an attacker were to target a specific site, they could search for vulnerabilities in all the included resources that someone else has already found.

This issue is of course not limited to external resources, but resources that have been downloaded and then self-hosted as well.

Remediation

There are ways to minimise the danger of the resource changing. Read more about this: https://blog.detectify.com/2016/10/27/cdns-minimize-damages-if-the-cdn-is-hacked/

However, doing so also prevents auto-updates that change the resource, which increases the risk of the scenario described under point two. When a vulnerability is discovered in a public resource it is often automatically updated, but that does not work if the resource is not allowed to change. This is therefore a question of what you believe to be the greater risk; existing vulnerabilities that cannot be patched or the external provider turning malicious or getting hacked. Because the answer to this question greatly depends on the situation, there is no universal solution that is optimal for everyone.

The best thing to do is, of course, to minimise the number of external resources. Do not include widgets that are not really needed, libraries that just a small feature that could be done in plain JavaScript is used from, etc. A great benefit of minimising the number of external resources is that it also decreases loading speed, making the website faster.

Resources