Even security scan sites could be somewhat more secure...

D+ grade scan: https://observatory.mozilla.org/analyze/whotracks.me
Recommendation, see security: https://webhint.io/scanner/4879588b-699d-493c-885f-6cdab8bd7006

2 vulnerable jQuery libraries detected: https://retire.insecurity.today/#!/scan/8f3256197336aa517abd84ac77cee9cc38ada500a7e69c0b09767e06a62ba341

DOM_XSS issues: Results from scanning URL: https://whotracks.me/static/js/search.js
Number of sources found: 5
Number of sinks found: 4

And I really wonder if this could not be abused, so many sources and sinks:
Results from scanning URL: https://whotracks.me/static/js/search.js
Number of sources found: 452
Number of sinks found: 232

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)