Sensitive user data can be user’s authentication data (tokens, session IDs, cookies, etc) or personal information (email, home address, phone numbers, social security numbers, etc).
If a web application with
<script> tags fetches data from a cross-origin domain, the fetched data is run on the website as if it is a part of the website. This scenario is favourable for an attacker to execute malicious content on the website.
In some cases, UTF-16 encoding can be imposed by an attacker when the charset of the
<script> tag is set. This helps the attacker to leak data that are in different formats like JSON, XML, etc.
When a user sends a request, the script will be updated with the response message. If the response is stored in global variables, everyone can read it. If the sensitive information is included in a JSONP response, the executed function can be overridden to get the sensitive information. This trick can be used for global functions as well. Instead of overriding the executed functions, we may use custom-coded callback functions for global functions.
The impact of this warning includes:
Possible user data manipulation and leakage
Possible functionality change and redirection of data
It is advised that owners manage web applications by themselves. You can give the privileges to third parties for managing websites, but be careful that they are publicly recognized and trusted.
Always try to sanitize user entries that are stored in JSON files.
Use subresource integrity. It helps browsers to check whether the fetched resources are unnecessarily manipulated or not.
Enable Content Security Policy (CSP).