[korethr]

It depends on the ad. In the before time, long ago, ads were a simple static image or body of text. And in that case, while not impossible, it's rather hard to compromise a computer with a static image or block of text. You'd have to have a fairly specific image crafted to adversarially target a specific bug in the rendering of images to get code execution, and thus compromise a computer.

It is no longer the before time.

In the now time, ads frequently contain not just text or images, but javascript as well. And already having code execution by virtue of javacript, it is a lot easier to escalate the privileges of that code execution from the limited environment of the browser to installing code on the computer running that browser. Want to deploy your bot? Buy an ad that includes your malicious javascript payload. Now, anyone who goes to a site and views your ad will execute your javascript for free in addition to your offer to sign them up for credit score monitoring.

[mobjack]

Are there any ad networks that allow random advertisers to include custom JavaScript in ads?

It just seems like a huge security hole and is not in the interest of ad networks for multiple reasons.

They might have JS in ads, but isn't that from the ad network's infrastructure.

[teunispeters]

Every single ad seller's been caught by companies selling these dangerous ads. Google, yahoo, etc. They usually catch it within 3-5 days. That's too long.

[freehunter]

In short, yes. Advertisements are a huge way to get malware onto people’s computers. This just one random article from a google search for “malware advertising” but there are tons and it still happens today.

https://arstechnica.com/information-technology/2016/03/big-n...

[manicdee]

What is in the interest of the ad networks is income and plausible deniability.

“Sorry we didn’t realise that there was malicious content in that ad, we’ll do better in the future, and we’ll also work on taking less than four days to remove malicious content.”

In the meantime the reason ads are being bought is the ability to deploy customer enrichment experiences (the new name for malware) which will help customers better discover your product (by redirecting their browser, or rewriting links).

[michaelmrose]

Are there ad networks that don't?

[blntechie]

I have seen ads trigger site redirects, app download redirect to app stores etc. and even initiate apk(Android app package) file downloads automatically.