Third-Party Risk Surface

45 points total

Analyzes your site's third-party dependencies — external scripts, tracker presence, Subresource Integrity coverage, external resource domain count, mixed content, and risky/outdated libraries.

Checks

Check	Weight	What it measures
Subresource Integrity (SRI) `thirdparty_subresource_integrity`	25 pts	Measures the proportion of external scripts with integrity and crossorigin attributes.
Mixed Content `thirdparty_mixed_content`	10 pts	Detects resources loaded over HTTP on HTTPS pages (active and passive mixed content).
Risky Library Detection `thirdparty_risky_library_detection`	10 pts	Scans for known vulnerable libraries, EOL frameworks, and high-risk dependencies (e.g. polyfill.io).
External Script Count `thirdparty_external_script_count`	info	Counts distinct external script sources. Informational — not scored.
Tracker Presence `thirdparty_tracker_presence`	info	Identifies analytics and advertising tracker scripts. Informational — not scored.
Resource Domain Count `thirdparty_resource_domain_count`	info	Counts distinct external domains contacted by the page. Informational — not scored.

Pass / Warn / Fail Logic

Subresource Integrity (SRI)

Pass if all eligible scripts have SRI; warn on partial coverage; fail if none.

Mixed Content

Pass if no mixed content; warn on passive (images/media); fail on active (scripts/styles).

Risky Library Detection

Pass if no risky libraries; warn on outdated versions; fail on known vulnerabilities or compromised supply chain.

External Script Count

Informational only (weight 0). Generates advisory findings based on count thresholds.

Tracker Presence

Informational only (weight 0). Generates advisory findings.

Resource Domain Count

Informational only (weight 0). Generates advisory findings based on domain count.

Findings & How to Fix Them

These are the specific findings RedScore may report for this category, along with remediation guidance.

criticalNo Subresource Integrityno_sri

Add Subresource Integrity (SRI) for static third-party scripts where hashes are stable. Some providers (for example Google Tag Manager) serve dynamic JavaScript where SRI is not applicable — those are excluded from the SRI score denominator when detected.

criticalActive Mixed Contentactive_mixed_content

Immediately update all script, stylesheet, and iframe references to use HTTPS.

criticalpolyfill.io Detectedpolyfill_io_detected

Immediately remove all references to polyfill.io. Self-host polyfills or use a trusted CDN alternative.

criticalEnd-of-Life Frameworkeol_framework_detected

Migrate from Angular.js to a maintained framework (Angular 2+, React, Vue, Svelte).

mediumMinimal SRI Coverageminimal_sri

Implement Subresource Integrity for all external scripts. Generate SHA-384 hashes for each script and add integrity and crossorigin attributes.

mediumVulnerable Library Detectedvulnerable_library_detected

Update vulnerable libraries to patched versions recommended by the vendor.

mediumExcessive External Scriptsexcessive_external_scripts

Large number of external script sources detected. This increases supply-chain attack surface. Consider consolidating or self-hosting where feasible.

mediumExtensive Trackingextensive_tracking

Significant number of tracking scripts detected, expanding the third-party script surface area. Each is a supply-chain dependency. Audit periodically for unused scripts.

mediumExcessive External Resourcesexcessive_external_resources

Large number of external resource domains contacted. Each is a trust dependency that could be compromised or go offline. Consider consolidating where feasible.

lowPartial SRI Coveragepartial_sri

Add integrity and crossorigin attributes to the remaining external script tags. Your build tool or CDN provider can generate the correct hashes.

lowPassive Mixed Contentpassive_mixed_content

Update all resource URLs to use HTTPS. Most CDNs and image hosts support HTTPS.

lowMoment.js Detectedmoment_js_detected

Consider migrating from Moment.js to a modern date library (date-fns, Luxon, Day.js).

lowHigh External Script Counthigh_external_scripts

Elevated number of external script sources. Each is a supply-chain dependency — review whether all are still needed and ensure SRI coverage.

lowModerate External Script Countmoderate_external_scripts

Moderate number of external script sources detected. Each external source is a supply-chain dependency. Ensure SRI hashes are present where possible.

lowAd/Tracking Scripts Presentad_trackers_present

Advertising or tracking scripts detected. These expand the third-party script surface area. Ensure disclosure and consent where required.

lowStandard Analytics Presentstandard_analytics_present

Standard analytics scripts detected. Each third-party script is a supply-chain dependency that could be compromised. Ensure SRI hashes are applied where supported.

lowHigh External Resource Counthigh_external_resources

Elevated number of external resource domains. Each domain is a trust dependency. Self-host static assets where feasible to reduce contacts.

lowModerate External Resource Countmoderate_external_resources

Moderate number of external resource domains contacted. This is common for modern sites; ensure SRI is applied to script resources.

Brand & Domain Reputation Back to Overview