Virtualization Technology News and Information
Article
RSS
c/side 2025 Predictions: Client-Side Script Security (Finally) Gets the Attention it Deserves

vmblog-predictions-2025 

Industry executives and experts share their predictions for 2025.  Read them in this 17th annual VMblog.com series exclusive.

By Simon Wijckmans, CEO and founder of c/side

In 2025, organizations vulnerable to cyberattacks that exploit third-party scripts will finally flip the script (so to speak). This long-overdue shift will secure client-side browser activity against risks that currently leave companies exposed.

I predict:

1. A wake-up call to the danger of third-party web script attacks.

Client-side attacks that exploit third-party browser scripts (which are used to run payment portals, analytics, chatbots, and all kinds of other website functions) have long been security's blind spot. Recent incidents have made it clear that organizations ignore these threats at their peril.

A particularly illustrative and recent example is the Polyfill attack, which had businesses running compromised web scripts from February to June of 2024 and ultimately impacted at least half a million websites. Polyfill is a known legacy open source service used to bring modern JavaScript functionality to older browsers. As modern browsers rendered Polyfill largely obsolete, thousands of sites continued to link to the Polyfill site and load its third-party script with every user visit.

Even after alerts went out that Polyfill[.]io came under new ownership, countless security teams (likely oblivious to client-side threats) continued allowing Polyfill scripts to run without verifying or overseeing their actual behavior. In June, c/side was amongst the first cybersecurity companies to discover that those scripts were redirecting a percentage of users to sites with illicit and gambling content. The scary part is that those obvious redirects may have masked much more nefarious activity, such as stealing customers' logins, personal data and payment card information. Because security teams had a blind spot to the danger and no script monitoring in place, they now have a blind spot to the full consequences of their failure.

The Polyfill attack is just a single example. So-called "Magecart attacks," which exploit third-party scripts to steal customer data from businesses using Magento ecommerce frameworks, affected untold thousands of customers in the past year and even major companies including Cisco. 2024 also saw healthcare giant Kaiser Permanente expose the browsing behavior of 13.4 million customers to third-party vendors due to mismanaged scripts.

These high-profile demonstrations of third-party script risks will push more security teams to address those threats in 2025. Teams will increasingly embrace dedicated strategies and tools designed specifically to provide visibility into script behavior, as well as anomaly detection and mitigation.

An issue: attackers can utilize compromised third-party scripts to send different web server responses with each website request, making nefarious activity invisible to traditional security strategies. To solve this, security teams will implement new capabilities that can continuously monitor all the third-party scripts running on their websites and users' browsers in real-time, analyze full script payloads, and disallow malicious code before it can execute. That transparency will transform security outcomes in the next year, turning a blind spot into an area of strength for businesses prioritizing these protections.

2. New PCI DSS mandates force businesses to get serious about securing third-party payment portal scripts.

PCI DSS v4.0.1 includes two new mandates (6.4.3 and 11.6.1) that put businesses (and that accepts payments on their site) on the clock to add tamper-detection security capabilities to their sites by March 31, 2025.

Regulators are making tamper detection mandatory because exploits in third-party scripts used in payment portals are currently responsible for a majority of credit card skimming incidents. For example, those prevalent Magecart attacks include making changes to payment page content as displayed in browsers, such that clicking the payment button or just submitting the form will send a copy of the user's personal and card information to attackers.

With PCI DSS clamping down on these threats, security teams will take the opportunity to not just meet the letter of the compliance mandates by securing payment pages, but to use the same tools to monitor and mitigate script-based threats across their entire sites. Businesses that practice holistic strategies to secure customer activities from the moment they arrive on the site will be that much more effective in ensuring that no exploits along the customer journey can result in data exposures.

3. Third-party script security will increasingly utilize AI and LLMs to achieve more capable threat analysis, optimizing protections.

As it has in so many fields, AI technology will have a transformative impact on client-side script security. In 2025, the limitations of static security strategies such as threat feeds, content security policies, traditional behavior detection and web crawlers will appear painfully antiquated in comparison with what AI brings to the table.

LLMs can now comprehend JavaScript code and provide valuable insights. Those capabilities will only improve into 2025, enabling ever-better real-time analysis of third-party scripts. The AI currently available to vet scripts and deny malicious code from ever reaching users is already a game changer for security teams. AI tools that descend from today will become absolutely standard across industries and security teams, maybe as soon as 2025.

Now you see me

Attackers have turned client-side third-party script security from a blind spot in 2024 to a spotlight issue for businesses in 2025. Regulators like those behind PCI DSS won't allow complacency to continue. Given the effective new tools and strategies now available and the promising advances on the horizon, businesses will have every motive and opportunity to lock down client-side risks and ensure safe browsing for their customers.

##

ABOUT THE AUTHOR

Simon-Wijckmans 

Simon Wijckmans is the CEO and founder of c/side, a cybersecurity company focused on browser-side threat detection and protection. Previously, he held product management roles at Cloudflare and Vercel.

Published Thursday, January 30, 2025 7:32 AM by David Marshall
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<January 2025>
SuMoTuWeThFrSa
2930311234
567891011
12131415161718
19202122232425
2627282930311
2345678