Lets go a little beyond merelly hinting at the security implications:
The files being hosted by that 3rd party are Javascript, which is code that runs on the browser.
Barclays is a bank.
So people go to the website of a bank and their browser receives code from a 3rd party with whom the bank has no contract and who have nothing in place to obbey the level of security that is required by a banking site.
This is way more “interesting” that the photo from that example of yours (which doesn’t have any executable code, only data, being fed to very mature image decoding libraries so it’s many times harder to find exploits for it than for code)
Consider the implications of getting the Barclays website to serve (from the point of view of a user) what can easilly be malware…
Fair, although explaining a potential vector for a hypothetical XSS attack and its implications to someone who doesn’t know what Javascript is sounds like information overload
Lets go a little beyond merelly hinting at the security implications:
So people go to the website of a bank and their browser receives code from a 3rd party with whom the bank has no contract and who have nothing in place to obbey the level of security that is required by a banking site.
This is way more “interesting” that the photo from that example of yours (which doesn’t have any executable code, only data, being fed to very mature image decoding libraries so it’s many times harder to find exploits for it than for code)
Consider the implications of getting the Barclays website to serve (from the point of view of a user) what can easilly be malware…
Fair, although explaining a potential vector for a hypothetical XSS attack and its implications to someone who doesn’t know what Javascript is sounds like information overload