Yesterday, a CDN was hacked and malicious JS was served to a number of domains. Most websites make use of CDNs to serve up JS so as to reduce page load time. How do we protect ourselves from such attacks?
I posed a similar question on Sec.SE some time back. Subresource Integrity is a new security feature that will save you. The code will not execute if there is a hash mismatch. Just don't use this on rolling releases that reuse the same URLs.
1 2 3
<script src="https://example.com/example-framework.js" integrity="sha384-Li9vy3DqF8tnTXuiaAJuML3ky+er10rcgNR/VqsVpcw+ThHmYcwiB1pbOxEbzJr7" crossorigin="anonymous"></script>