Navigating the Third-Party Code Minefield: Data Leakage Risks and Prevention Strategies

Today, virtually all websites use JavaScript to seamlessly integrate third-party services. This is primarily to improve their online operations with analytics, user tracking, payments, social media, chatbots, and more. But this adoption comes at a price. Most businesses have no idea what information these tags are collecting. 

Jscrambler research reveals that while 97% of organizations are aware that JavaScript tags collect private and sensitive data, only 13% of organizations are confident that they understand what information these tags collect. And only 26% are aware that these tags leak their private user data to other organizations.

In this article, we will examine how attackers are exploiting JavaScript to capture customer data and corporate intellectual property, using real-life case studies to assess the impact of such breaches in the e-commerce, healthcare, media, streaming, and travel sectors. Plus, offer advice on how businesses can protect themselves from data leakage risks.

E-Commerce: protect customer data and payment pages

The fully loaded costs of a data breach to a business could be potentially massive. These include the direct costs of lost revenue, incident response, fines, and breach notifications. Then, there are the indirect costs, namely the loss of brand value, reputation, and trust. 

For example, Marks & Spencer suffered a devastating cyberattack in March/April 2025, where customers were unable to use contactless payment in-store, shop online, or use click and collect services. E-Commerce accounts for around £3.8 million in daily takings. The attack wiped more than £750 million off its market capitalization and is expected to cost up to £300 million in operating profits this year.

Luxury retailer Louis Vuitton experienced a data breach affecting customers in several countries in June/July 2025. This followed similar attacks on the E-Commerce sites of Adidas, Cartier, Dior, and Victoria’s Secret. The latter was forced to shut down its website for three days in May 2025, although corporate systems were disrupted for longer.  

Prevention Strategies

While the alleged perpetrators behind recent E-Commerce attacks and their modus operandi differ, comprehensive client-side protection exists to prevent data leakage, customer hijacking, web skimming, and Magecart attacks. Safeguard your transactional website and ability to trade and continue trading by:

1. Detecting and Alerting on Suspicious Script Activity 

Analyze the behavior of scripts to identify anomalies such as excessive network requests, or unusual data manipulation, which could indicate a malicious attack.

2. Verifying the Integrity of JavaScript Libraries

Compare JavaScript code with known and trusted scripts to spot tampering with a library or website domain, and to prevent the execution of compromised code.

3. Monitoring and Blocking Malicious Third-Party Scripts

Monitor the execution of scripts, identify suspicious behavior, block scripts exhibiting malicious characteristics, and prevent the exploitation of vulnerabilities.

Healthcare: protect online engagement with patients 

Healthcare applications often handle sensitive data, making them prime targets for cyberattacks. Client-side breaches can result from misconfigurations or malicious script injections, potentially exposing user credentials, Social Security numbers, and Protected Health Information (PHI), and may remain unnoticed for prolonged periods.

This is what happened to two Swedish online pharmacies. They were fined a combined SEK 45 million ($4 million) in early July 2025 for improperly sharing sensitive personal data with Meta. Apoteket AB and Apohem AB installed the Meta Pixel to enhance their Facebook and Instagram marketing efforts. But exposed customer purchasing data, including over-the-counter medicines and sexually transmitted infection testing kits, is classified as sensitive personal data under the GDPR. 

Prevention Strategies

Healthcare businesses can enhance the privacy and security of patient information, while also protecting web apps through:

1. Implementing Polymorphic Obfuscation

Ensure JavaScript code is continuously transformed, making it extremely difficult for attackers to reverse-engineer or tamper with it.

2. Deploying Client-Side Threat Mitigation

Automate control over third-party vendors to prevent web supply chain attacks, data leakage, and customer hijacking.

3. Monitoring in Real Time 

Get instant alerts and benefit from real-time self-defense against tampering, debugging, or poisoning attempts.

4. Getting Compliance Assurance

Allows healthcare organizations to comply with HIPAA regulations by enforcing strict data protection policies and providing detailed audit trails.

Media and Streaming: prevent IP theft and enforce software licensing

Reverse engineering, zero-day exploits, code modification, and more: the hacker threat within the entertainment industry is real. Media and streaming businesses must safeguard their intellectual property and digital assets – and with it their revenue and competitive advantage. 

For example, a hacker who stole unreleased music from artists, including Coldplay, Upsahl and Melanie Martinez, received a 24-month suspended prison sentence. The 22-year-old hacker from the UK obtained the music by illegally accessing several cloud storage accounts linked to the artists, and sold the tracks online for around £42,000.

Meanwhile back in 2018, cyber attackers inserted malicious code into a chatbot running on the Ticketmaster website to harvest data from users, including card numbers, expiry dates and security numbers. This resulted in a £1.25 million fine from the UK data protection regulator, a class action lawsuit from victims and ongoing legal repercussions in the US seven years after the breach.

Prevention Strategies

Media and streaming businesses can protect their intellectual property and enforce software licensing with minimal impact on web app performance to:

1. Prevent Piracy

Block any unauthorized access to apps. Harden your video player and protect it against fingerprinting or watermarking technologies.

2. Protect Content

Protect your IP, the player, and the ad revenue running inside it. Keep your unique content safe from competitors and bad actors.

3. Support Team

Save time and resources by delegating the monitoring and protection of JavaScript to a trusted third party.

Travel, Transport, and Logistics: Prevent Web Supply Chain Attacks

Third-party services, such as online booking engines, chatbots, customer review tools, and digital marketing solutions, are transforming the hospitality industry. After all, what business wouldn’t want to streamline operations, enhance customer experience, and provide valuable customer insights?

However, digital transformation also comes with risks, particularly around the use of third-party tags and supply chain attacks. For example, Australia’s largest airline, Qantas, is investigating a cybersecurity breach that exposed the personal data of up to 6 million customers. The airline confirmed in early July 2025 that cybercriminals had accessed a third-party customer servicing system linked to a Qantas call centre.

Prevention Strategies

Travel, transport, and logistics businesses can prevent credit card data breaches, digital fraud, and malicious scripts by:

1. Controlling Script Behavior

Guard against data breaches, web skimming, and more, by blocking unauthorized script behavior.

2. Obtaining Maximum Visibility

Get complete data granularity for real-time threat monitoring and alerts, so you can spot what’s what and what’s not quicker and easier. 

3. Achieving PCI DSS v4 Compliance

Protect against and detect digital skimming attacks on payment pages by certifying against PCI DSS v4, which contains two new requirements effective April 1, 2025.

4. Reducing Data Leakage Risk

One size fits no one in security. Configure your client-side protection to match your organization’s unique data leakage protection needs.

How Jscrambler Helps Prevent Data Leakage Risk

There are no silver bullets in risk management. Rather, it’s best to develop a defense in depth, layered or matrix approach to managing risk. The protection afforded across the various layers or stages becomes greater than the sum of its parts. Consider the following ways to secure your E-Commerce website and web apps:

Get Advanced Protection Through Obfuscation

Obfuscation can deter attackers by making JavaScript code more difficult to analyze and reverse engineer. The best security platforms allow businesses to define their obfuscation policy and needs. Jscrambler allows businesses to integrate obfuscation into their continuous integration and continuous delivery seamlessly (CI/CD) tools. Plus, run obfuscated code without slowing down website performance.

Protect Your Web Apps with Run-Time Defenses and Code Locks

Most obfuscation solutions solely protect code from cyberattacks. Market-leading solutions, such as the one from Jscrambler, go a step further by offering extensive runtime defenses. These defenses empower applications to autonomously detect and react to any tampering, debugging, or poisoning attempts in real-time.

Know When Your Website Is Under Attack

Ongoing monitoring is a second, third, and ongoing chance to check that the risk was correctly assessed in the first place — and is still applicable. For dynamic, international businesses, continuous monitoring is a must.

Jscrambler’s platform allows you to know if your JavaScript code is being debugged, tampered with, or being used outside your desired environment, via alerts and an at-a-glance monitoring dashboard. This enables real-time threat mitigation. 

Benefit From Expert Advice

A security solution is good. But a security solution with expert advice is even better. Jscrambler backs up its products with responsive customer service, high-quality documentation, and industry-specific expertise to address your specific vulnerabilities.

Jscrambler Client-Side Protection Platform

The Jscrambler Client-Side Protection Platform safeguards first-party JavaScript through state-of-the-art obfuscation and exclusive runtime protection.

Its fine-grained JavaScript behavioral analysis also mitigates threats and risks posed by third-party tags. It also complies with the new PCI DSS v4.0 standard for card data security. With Jscrambler, businesses adopt a unified, future-proof client-side security policy, all while achieving compliance with emerging security standards.

Trusted by digital leaders from several industries, including E-Commerce, healthcare, media and streaming, and travel, Jscrambler gives businesses the freedom to innovate securely. Connect with our client-side security experts to try our solutions to prevent digital skimming attacks.