In the light of the new growing mal-ad injection threat, the following.
Insecure javascript inclusion. Using the -src attribute of a tag to directly or indirectly include a JS-file
from an external domain into the top-level document of a webpage.

Keeping JS separate from HTML markings is a good practice. Good is including JS from the same host or domain,
could be excluded from evaluation with insecure inclusion techniques. Sites run the risk their homepages come under the control of the included javascript code and even higher risk from multiple sources.

Some advertisers provide nothing on their root URLs but point just to some stored JS file using URL-paths. A single compromised JS-file could directly cause security breaches on thousands of sites.

Now one can understand why using a decent adblocker is not a luxury or use an adblocking browser on Android for that matter.
Google Safebrowsing is a last resort line of defense!

polonus