[yaegers]

>"Some of them do not even require user action to be able to cause harm." makes me trust this even less. If the ad is opening a new browser window, that browser window is sandboxed. Sure it can ask the user to take an action, but it can't take an action on behalf of the user.

Google "drive-by download" and see how that is precisely what can happen. https://en.wikipedia.org/wiki/Drive-by_download

" Any download that happens without a person's knowledge, often a computer virus, spyware, malware, or crimeware.[1]

Drive-by downloads may happen when visiting a website, viewing an e-mail message or by clicking on a deceptive pop-up window:"

Personally I would never trust that anything browser related is truly sandboxed. If that were the case, why would I need anti malware scanners and tools?

This is, by the way, another reason why I use adblock and noscript. So that when I visit a site for the first time, nothing active element related will automatically run. So, in this case, even if the ads from spotify open my webbrowser and a tap to a malicious site, I would just close it and be done with it. It is still weird why an ad should have the ability to call an open url command at all.