If at all possible it would be worth naming and shaming the advertising network that is allowing this exploit through.
Why do advertising networks allow advertisers to exectue Javascript? What need is there for it?
Every time one of these exploits that use advertising networks is found, it just increases the value of blockers such as uBlock. Whether you accept adverts or not, you shouldn't have to accept javascript being executed on your machine that isn't from the site you visited.
The networks themselves rely almost exclusively on javascript nowadays so the websites have little choice, the ad networks then in turn pass some or all of this trust to whoever makes the creatives, which up until recently were quite frequently done in flash and are now sometimes in javascript.
Personally I think all ads should be served up in a totally passive visual format (png, jpeg, gif) and have no other attributes than a non-javascript link target. That would take care of almost all drive-by injection. But adnetworks serve up what their customers want and their customers want interactive ads because the click-through rates are higher and because otherwise the competition would be doing it and they go out of business.
Ad networks that do serve up javascript should at a minimum pull the script to their own server and audit the code of the script. Good luck with that though.
Fortunately it's easy enough to install an ad blocker and get rid of that part of the problem entirely but it would be nice if users without an ad blocker wouldn't have to worry about this.
I agree. It's actually the animation of the adverts that I find most distracting. Text, and/or a static image - not an animated gif would be fine. I would enable ad networks that could guarantee that is all they will serve up.
> naming and shaming the advertising network that is allowing this exploit through
The person who found and reported the exploit said this particular exploit did not originate from an ad server[1].
Without disabling javascript, I have always argued that merely disabling 3rd-party iframe tags is a good first move[2]: significantly less breakage than disabling javascript, yet this will effectively step up security/privacy protection.
In the current case, the person who found it confirmed that just blocking 3rd-party frame tags would have foiled the exploit.[3]
One of the goals of ad networks is to fill as much capacity as possible before relinquishing control to the website owner. The website owner then passes that unused capacity to a chain of competing networks. The last in the chain is usually a poor quality remnant network with junk ads.
The way an ad network fills capacity is by allowing other ad networks to be their advertisers. Those ad networks buy the crappy traffic and fill it with junk ads.
It's those crappy ads that look bad and may have scams attached to them - they get passed around so much that they can get lost in the system.
That said, premium campaigns can also have bad ads. Like advertisers pretending to be premium clients but under the right conditions (like geolocation, date, time, viewing host) the ads will turn bad. It's a game of cat and mouse, and those ad networks are more geared for sales.
According to user fukusa is was not an advertising network rather it looks like the site was compromised to run the script and it was disguised as an ad.
Why do advertising networks allow advertisers to exectue Javascript? What need is there for it?
Every time one of these exploits that use advertising networks is found, it just increases the value of blockers such as uBlock. Whether you accept adverts or not, you shouldn't have to accept javascript being executed on your machine that isn't from the site you visited.