The Blessing and Curse of First and Third-Party JavaScript
April 01, 2024

Rui Ribeiro
Jscrambler

The web as we know it today didn't evolve overnight. It began with TCP/IP, followed by HTML, the browser, and, last but certainly not least, Javascript. Now, Javascript, one of the foundational technologies for the World Wide Web, is fueling a massive shift towards client-side innovation by digital businesses of all sizes and industries worldwide.

This client-side innovation is being aided significantly by JavaScript frameworks which allow teams to rapidly develop superior online experiences. However, this required businesses to invest in encapsulating and exposing back-end functionality as open APIs, which enabled fast-paced client-side development in these frameworks, utilizing the APIs exposed by their back-end developers for front-end consumption.

Flash forward to the present day, and digital marketing and business teams are enhancing online experiences by tapping into thousands of third-party digital solutions (AB testing, analytics, advertising, retargeting, online payment, CDPs, social media, etc.) that can be seamlessly integrated into any webpage. This launched what we like to call the "bring your own tag" era, where Javascript, including modern Tag Management Systems as well as pixels, are accelerating this shift, making it easy to deploy, test, and integrate third-party solutions.

These developments have been a blessing for businesses looking to develop and roll out new cutting-edge digital experiences. Today, more than 98% of websites around the world use JavaScript as their go-to client-side coding language. But this use introduces challenges — today the average web page has more than 60 third-party scripts that are unmonitored and have uncontrolled access to forms and data anywhere on the page.

Here are four examples of challenges businesses are facing as a result.

1. New Security Threats

Client-side digital innovation has introduced a new wave of security threats that tie back to one thing: JavaScript can be easily viewed and also manipulated, in any web browser. It should not come as a shock that this is creating vulnerabilities that malicious actors can exploit. For example, hackers can tamper with a website's JavaScript to modify its behavior, stealing sensitive information like credit card details or valuable content such as streaming audio or video files. Hackers are using first- and third-party scripts as anchor points for their attacks. As a result, growing numbers of businesses are getting caught in the crosshairs of credit card skimming and Magecart attacks.

There's also a rising tide of supply-chain attacks. Gartner predicts that by 2025, 45% of organizations worldwide will experience attacks on their software supply chains. In these instances, malicious actors compromise third-party website add-ons, also known as tags, that are integrated into websites or applications. Once compromised, all downstream users suddenly face the risk of data theft.

As businesses become increasingly reliant on client-side JavaScript development, JavaScript's weaknesses and client-side blindspots are being increasingly exploited. This trend will only intensify, with AI now powering a new generation of attacks, making them more sophisticated, insidious, and more complex to detect than ever before.

2. New Risks of Data Leakage

Online "partners," the third-party JavaScript solutions you implement on your web pages, also feast on the data collected from client-side interactions. Why? Because their AI-powered products are insatiable. They are doing so without asking, and it gets worse. This is not just any data. It's yours. It's your customers' data, which all parties thought was private, secure, and protected. Now, many are discovering that it is being consumed, used, and processed in most cases without your explicit permission.

3. New Compliance Challenges

The universal usage of first- and third-party JavaScript isn't just a trend; it's creating a perilously exposed client-side environment. The Payment Card Industry Security Standards Council (PCI SSC) provides specific guidelines that require merchants to maintain visibility, risk management capabilities, and control over how JavaScript is used on their payment pages. Their objective is to stop Web skimming, but they are increasingly focusing on avoiding data leakage. The Council recently introduced PCI DSS v4.0, which is an updated set of guidelines and requirements to ensure that cardholder data is handled, stored and transmitted securely during payment card transactions and includes specific rules for how JavaScript is used on payment pages.

4. Existing Tools Fall Short: The Case for Client-Side Protection

Shifting away from JavaScript and third-party add-ons is not an option. It speeds up development and allows companies to use best-of-breed solutions to enhance the user experience.

Some companies are leveraging browser capabilities like Content Security Policy (CSP) and Sub-Resource Integrity (SRI) which provide layers of security but are not sufficient for comprehensive client-side JavaScript protection. This is especially the case with first- and third-party JavaScript. They fall short when third-party scripts are updated two, three, or four times per week. They rely heavily on manual policy updates to keep up the vendor changes and often "fail-closed," meaning they block unrecognized changes. This inflexibility can cause issues, especially on payment pages where any blocked resource can prevent transactions from going through. They must be complemented with more advanced and automated solutions capable of monitoring and managing script behavior and integrity in real-time. This is where client-side protection and compliance solutions can help.

Some features that address these challenges I've outlined above include:

Advanced Javascript Obfuscation + Runtime Defense: Javascript protection that leverages advanced Javascript Obfuscation combined with runtime defenses can help ensure a given JavaScript has not been tampered with. Also, consider a platform that supports environmental checks like browser and device checks and the ability to trigger locking of the code when security threats are identified.

Fine-Grained Third-Party Tag Control: Another element to look for is control. More specifically, it is important to gain fine-grained control over the behavior and data consumption of all third-party tags' JavaScript across the entire business, to rapidly cover all website pages, and to identify all third-party tags. Some additional elements that can be valuable include intuitive reports detailing the risks associated with each script, the ability to facilitate the approval of new third-party website add-ons and define detailed controls over the data accessible to each script as well as dashboards that allow teams to continually monitor all third-party vendors' activities.

Expertise: The chosen vendor should provide full customer support at every step. Clients will need help choosing the right first-party JavaScript obfuscation techniques for their needs. For third-party tags, skilled consultants should be available to guide them in setting up the best risk mitigation strategies, including suitable data fencing tactics. And then the question of management will surely arise. The most sophisticated vendors will be able to manage as well.

These are just a few areas vital to regaining control of first- and third-party JavaScript environments, and as you begin your journey, there will be many others to consider. In the end, the key is finding one that can work with your existing solutions while allowing your business to maintain its commitment to client-side innovation while providing the freedom to do so securely.

Rui Ribeiro is CEO and Co-Founder of Jscrambler
Share this

Industry News

November 20, 2024

Spectro Cloud completed a $75 million Series C funding round led by Growth Equity at Goldman Sachs Alternatives with participation from existing Spectro Cloud investors.

November 20, 2024

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, has announced significant momentum around cloud native training and certifications with the addition of three new project-centric certifications and a series of new Platform Engineering-specific certifications:

November 20, 2024

Red Hat announced the latest version of Red Hat OpenShift AI, its artificial intelligence (AI) and machine learning (ML) platform built on Red Hat OpenShift that enables enterprises to create and deliver AI-enabled applications at scale across the hybrid cloud.

November 20, 2024

Salesforce announced agentic lifecycle management tools to automate Agentforce testing, prototype agents in secure Sandbox environments, and transparently manage usage at scale.

November 19, 2024

OpenText™ unveiled Cloud Editions (CE) 24.4, presenting a suite of transformative advancements in Business Cloud, AI, and Technology to empower the future of AI-driven knowledge work.

November 19, 2024

Red Hat announced new capabilities and enhancements for Red Hat Developer Hub, Red Hat’s enterprise-grade developer portal based on the Backstage project.

November 19, 2024

Pegasystems announced the availability of new AI-driven legacy discovery capabilities in Pega GenAI Blueprint™ to accelerate the daunting task of modernizing legacy systems that hold organizations back.

November 19, 2024

Tricentis launched enhanced cloud capabilities for its flagship solution, Tricentis Tosca, bringing enterprise-ready end-to-end test automation to the cloud.

November 19, 2024

Rafay Systems announced new platform advancements that help enterprises and GPU cloud providers deliver developer-friendly consumption workflows for GPU infrastructure.

November 19, 2024

Apiiro introduced Code-to-Runtime, a new capability using Apiiro’s deep code analysis (DCA) technology to map software architecture and trace all types of software components including APIs, open source software (OSS), and containers to code owners while enriching it with business impact.

November 19, 2024

Zesty announced the launch of Kompass, its automated Kubernetes optimization platform.

November 18, 2024

MacStadium announced the launch of Orka Engine, the latest addition to its Orka product line.

November 18, 2024

Elastic announced its AI ecosystem to help enterprise developers accelerate building and deploying their Retrieval Augmented Generation (RAG) applications.

Read the full news on APMdigest

November 18, 2024

Red Hat introduced new capabilities and enhancements for Red Hat OpenShift, a hybrid cloud application platform powered by Kubernetes, as well as the technology preview of Red Hat OpenShift Lightspeed.

November 18, 2024

Traefik Labs announced API Sandbox as a Service to streamline and accelerate mock API development, and Traefik Proxy v3.2.