According to security blogger David Lynch (http://, he has found a severe XSS vulnerability in Eyewonder Ad Network, including CNN, NY Times and Fox News involved in this vulnerability.

(Figure 1: CNN) 



(Figure 2: NYTimes) 


(Figure 3: Fox News)  



(Figure 4: Hi, Lionic!)  

Test links are as following:


All of these websites use Eyewonder Ad Network(, the JS looks like this:

<script language="JavaScript">
    var query =;
       var adUrl = query.substring(5, query.length);
       var clickthru;
       var failclickthru;
    document.write('<s'+'cript language="JavaScript" src="');


Any severe attacks can make it by filling query string with malicious JS, like figure 4. injects "Hi, Lionic!" into CNN website.




By AegisLab