Spyware can infect your phone or computer via the ads you see online – report

[Xeamek]

Why? Browsers already treat all the code that is run by the website as potentially unsafe. Why would we focus specifically on adds where there are other, equally unsafe vectors present? What advantages would that have over the current way?

[Zak]

Perhaps because security isn't binary. Browsers should sandbox JS such that it's harmless, but sometimes fail at that. Letting fewer random strangers run JS in your browser reduces your attack surface area.

[bell-cot]

THIS, but `sed 's/fewer/far, far fewer/'`

AND - the owners of the (relatively) few web sites that most people visit are far more invested in staying malware-free, vs. the Ad companies letting ~anyone on the planet run js in ads, at "what's their credit card good for?" scale.

[bhouston]

Ads generally run in iframes and iframes are considered a form of sandboxing.

[falcolas]

IMO, because ad code is a step above “potentially unsafe”, it’s sometimes malicious, and even intentionally malicious.

[aaomidi]

Especially when you get to do hyper targeted attacks through the ad provider.

It’s one of the reasons I do not turn on personalized ads anywhere.