Took a random website from a Princeton university hall of shame list - in this case having the hotjar replay script , name of the domain outbrain dot com.
The overall PrivacyScore score is below par with 53 3rd party embeds, among which we find 29 from known tracking- & ad corporations. mentioned hotjar script being one of those.
No HSTS has been set to protect against insecure requests, also no pre-loading and no public key pinning set.
Last setting has some problems, the waiting is for something more friendly applicable.
Again the server there is open to the Secure-Client-Renegotiation attack vulnerability, also BREACH, SWEET32 and Lucky13 attacks.
No CSP header set, no XFO-header neither X-Content-Type Options or referrer policy header.
No TLS 1.2 being offered. This according to results here: https://privacyscore.org/site/34920/
Check also here to reach similar conslusions: https://observatory.mozilla.org/analyze.html?host=www.outbrain.com
Subresource Integrity (SRI) not implemented, but all external scripts are loaded over https.
uBlock Origin blocks all ofl outbrain dot com for me.
Re sources and sinks: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fwww.outbrain.com
Also consider the errors appearing in this script: hxtps://www.outbrain.com/script.js?version=f80704f215b146c0d269a38cb085de856f58da30
found JavaScript
error: undefined variable $
error: undefined function $
Note. Never use 'rusty’script like this here, take care to not use: $this.functionName() of self.functionName() of $self->functionName()… or variants thereof, unless you verified the namespace for them and place them at the end of the file to avoid such errors. Credit for this error info goes to StackOverflow’s J. Rivero.
Another 14 issues found here(mainly DNS problems): https://mxtoolbox.com/domain/www.outbrain.com/
Privacy wise and security wise we have a long, long way to go to make the global website infrastructure somewhat more secure. The slogan therefore stays: “All hands on deck”.
polonus (volunteer website security analyst and website error-hunter)