So how big is the risk? There are a couple of factors to consider:
Firstly, how well can the script owner be trusted? A company such as Google can probably be trusted quite a bit, although we’re not just talking about the integrity of the company’s ethics. We also need to consider how seriously they take security themselves – how stringent are their own practices? Again, we can be fairly sure that Google is pretty hot on best security practices, so the risk is relatively low. The same might not be true of other third party sites.
Secondly, how big a target is your site? The case referred to in the Register’s story was Barrack Obama’s website. That site is obviously going to be a huge target for potential hackers, with security an immensely important subject. Sites with a lower profile can reasonably be assumed to be less of a target, although the risks can still not be discounted entirely.
In a recent forum post discussing this issue, the following advice was given:
if you must use external JScript, make sure it is a trusted source, and by trusted, I don’t just mean the company and their reputation, but also their own security practises, and do not under any circumstances link 3rd party JScript to a “secured” or sensitive area of a site
This seems to be pretty sensible, and is something we will need to consider from now on, not just in relation to Google Analytics, but when looking at linking to any third party script. Better safe than sorry…