As JavaScript-based client-side attacks continue to evolve, we see how attackers are getting more sophisticated and employing more advanced techniques. Unfortunately, it has been proven many times that any website partner can be exploited to carry out an attack. Recently one of the most popular and trusted vendors was used as a credit card data exfiltration vector: Google Analytics . \r\n Given the trends, we on the Akamai Client-Side Protection & Compliance team believe that the right approach to mitigate such threats is to treat all scripts in the page equally, not trusting a script based on its vendor. This is part of our philosophy from the beginning, when we analyzed the threat landscape. \r\n Exploiting Google Analytics \r\n One of the samples found in the wild lately, and first published by Kaspersky , shows how a Magecart group managed to use a rather simple -- but potentially business-lethal -- Content Security Policy (CSP) bypass method.…