Third party scripts are off site scripts and until run avast doesn’t scan them, at that point I guess it doesn’t care. The problem being if it were initiated by that site would it be treated as from that site (and not scan per exclusion) or recognise it isn’t from that excluded site and scan it. That is one area why I generally don’t add sites to the script shield exclusions.

I would suggest that you use the firefox NoScript add-on as by default it doesn’t allow scripts to be run until you allow them for the site. It also has a function to block XSS ((X)Cross Site Scripting). You could go a step further and use the RequestPolicy add-on as that gives even more configurable against XSS running.

However NoScript will take a little time to build up your database of commonly used/visited sites that you allow first party scripts to be run, so some find it can be a little hassle at first. The RequestPolicy is much more intrusive as you would be surprised just how much 3rd party (XSS) scripts/content is used on sites.