This article is a part of our Web Security Knowledge Base (back to index)

Why Cross-Domain JavaScript Source File Inclusion can be dangerous

The Cross-Domain JavaScript Source File Inclusion alert means that the given page includes and potentially runs one or multiple Javascript files from a third-party domain.

If the external script location is not owned and managed by you there is a risk that the JavaScript file used by your application can be replaced with a malicious content that e.g. includes dangerous code or steals sensitive information/resources from your application users.

When some of your application JavaScript files are located on a third-party domain not managed by you the attacker may try to hijack that domain or access that third-party server to modify the files, so that your application will include a modified version that will be executed in web browsers of your users. This can be done without accessing your physical servers.

How to fix Cross-Domain JavaScript Source File Inclusion

The general principle is to always host all your application files on server locations managed by you or a publicly trusted and recognized third-party service, e.g. CDN.

How does ScanRepeat report Cross-Domain JavaScript Source File Inclusion

Our scanner looks for any inclusions of a JavaScript file from a third-party domain and reports the exact location of the imported files, so that the source and the related risk can be reviewed.

Would you like to test your application now against this problem? Sign up for our free trial

Scan your application
for 14 days for free

No credit card is required. No commitment.

Sign Up Free