As often insecurities often with third party code - see this website!

See: https://www.eff.org/https-everywhere/atlas/letters/s.html
Overall https situation OK: https://www.ssllabs.com/ssltest/analyze.html?d=www.songkick.com
Detected libraries: -https://www.songkick.com/
Detected libraries:
jquery - 1.7.2 : (active1)- https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
jquery-ui-dialog - 1.8.17 : (active1) -https://ajax.googleapis.com/ajax/libs/jqueryui/1.8.17/jquery-ui.min.js
Info: Severity: medium
http://bugs.jqueryui.com/ticket/6016
jquery-ui-autocomplete - 1.8.17 : -https://ajax.googleapis.com/ajax/libs/jqueryui/1.8.17/jquery-ui.min.js
(active) - the library was also found to be active by running code
2 vulnerable libraries detected

A meagre F-Status here: https://sritest.io/#report/e6d19f68-5165-4606-a32a-5cac0547236a

And missing headers will produce a D-Status here: https://securityheaders.io/?q=https%3A%2F%2Fwww.songkick.com%2F

See known sources and sinks and where it lands: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fajax.googleapis.com%2Fajax%2Flibs%2Fjquery%2F1.7.2%2Fjquery.min.js

Example: Setting innerHTML is susceptible to XSS attacks if you’re adding untrusted code.
The insecurity arises in displaying visitor-submitted content.

Intent analyzer shows: USE_TRANSITION and LAUNCH-EXTERNAL_ACTIVITY on android.
Browsable content.

polonus (volunteer website security analyst and website error-hunter)