Using external javascript files can be harmful to you and your site visitors.
Many websites use javascript files located to an other domain. Usually this happens when we copy-paste ready-to-use code for a script (jquery, slider, gallery, etc) we found on the internet. This practice can lead to many problems and especially to serious security issues for both the site administrator and its visitors. In this article we will refer to the problems that can arise by the use of external js files and what we can do to achieve maximum availability and security.
Consider we have an image slider using jquery and we use an external javascript file example.com/slider.js in order for the slider to work in our site. Let's see what problems may arise to our site by just the fact that it is an external file.
If the domain in which the file is located (example.com) is down, or for some reason not-available (eg due to routing issues of the internet provider), then our script wont work because the external js file wont be loaded. Even if our site is fine and online the script wont work and the slider will break just because some other, irrelevant, site is down. This is valid for google, microsoft, and any other site you think will be online forever.
The web browser takes more time to load files from external sites as it queries third sites which make page loading slower. A web-page is consisted by many files (images, videos, javascript, etc). For each file the browser makes a request to the web server in order to load it. If you pay attention to the bottom line of your web browser (eg Firefox) when you visit a page it shows you the files it loads. The local files get loaded faster than the external ones. This is valid for any file type, images, javascript, css, etc.
The owner of example.com can any time delete, rename, or move the javascript file to which you have a link. The whole example.com might even completely close as a site. The slider will stop working and you will struggle to understand why this happens. In case the other domain is closed you will have an additional problem to find the js file your slider needs in order to work.
Now, the most serious problems. The owner of example.com can any time change the contents of the js file or add something extra in the file irrelevant to the slider functionality. The same can happen by a third person if example.com is hacked. Hackers don't want to get noticed, and so most probably they will leave the slider's code as is -in order the sliders on the sites they use it to keep working- and add malicious code at the end of the file. Ιt is very difficult to notice such a change. What this additional malicious code in the js file can be? They can easily steal your cookies which may contain information about your login status. Just for your information Elxis 4.2+ uses HTTP ONLY cookies which means that javascript has no access to the cookies generated by Elxis. So at least for Elxis 4.2+ you are safe by this threat, but not for older versions or other CMSs/sites.
They can even add an onclick event on a login form so when you press the submit button the login credentials username and password are sent via ajax to an e-mail or are logged to a file. Note that the hacker doesn't need to have access to any file on your website to do this. He can do everything from the js file he hosts on his site.
If you have a shopping cart he can steal the credit card details of your customers or any other information they submit on your web site. Via this external js file and by using AJAX the person that has access to the file can track the requests on your site and copy the data he is interested in somewhere else.
Scared? I hope yes. But don't worry, the solution is simple. Just copy the external JS file locally to your site and in the integration code of your script (eg of the slider) change the link pointing to the external file (example.com/slider.js) to the path of the copied local file (my-own-site.com/something/slider.js). That's all!