This is a personal security alert against a dangerous yet increasingly popular practice which I call Voluntary XSS. Voluntary XSS involves a website voluntarily embedding script fragments hosted by another, typically very popular, website. Here is an example:
Voluntary XSS is dangerous because the practice builds a hub-and-spoke (or star) vulnerability network which exposes all the spoke websites to weaknesses in the hub website. Since active contents of 'bar.js' from the hub website in the example above is typically injected into every page served by spoke websites, penetration at the hub website allows hackers to change contents of all pages served by spoke websites instantly by replacing the content of 'bar.js' with their own script.
As to how wide spread the use of Voluntary XSS is, Google uses Voluntary XSS to display ads at Google AdSense sites and Technorati uses Voluntary XSS for blog claiming blogs. I haven't checked Amazon and Yahoo yet, but I intend to soon.
Since this is a personal security alert, allow me to be more blunt than formal security alerts: This is serious shit folks. By inserting those HTML fragments into your webpages, you are betting that websites hosting those HTML fragments are and will remain impenetrable. Voluntary XSS makes those key websites very attractive to hackers and I seriously doubt any website can withstand constant onslaughts by smart hackers.
My other posts on this topic:
Don Park's Weekly Habit 