[jazzyjackson]

the advertising platform need not be willfully malicious - but given that their javascript bundles are injected across hundreds of the largest websites, they make themselves valuable targets. If I wanted to distribute malware I would hack taboola and let their servers do the work for me.

[paulryanrogers]

Yet that seems like malicious actors orbiting big platforms and not the other way around.

[livueta]

You're right, but I also think that lets the ad networks off the hook too easily for something they really could do more to combat if they felt like it.

Maybe there's a useful analogue in tort law: https://en.m.wikipedia.org/wiki/Attractive_nuisance_doctrine

You've got a thing, and your thing is fine, but negligently allowing others to harm themselves (or in this case, third parties) with said thing can be a problem.

For instance, an ad network could decide to serve only static content and not accept any third-party js, greatly reducing the odds of someone coming along and using the network as a vector for malware. But the network has no incentive to do this because they make more money the other way. If they're made to cover some of the externalities of their product, they gain an incentive to not serve malware.

Running an ad network that accepts and distributes dynamic content is like leaving loaded firearms scattered around your property (in a jurisdiction without special safe-storage laws, I guess - the analogy isn't perfect).