What does scorecardsresearch.com/beacon.js - added by Disqus.com - do?
Am I essentially giving scorecardresearch.com access to my users and user's cookies for my domain, since the script tag is on my page?
Yes. Any script included in your page either directly or indirectly (via disqus) has full access to interfere with the user's experience for everything on the hostname it is included on.
Stealing client-side (non-httponly) cookies is only one potential attack - if they wanted to, they could include a JavaScript keylogger to intercept all keypresses on your site, steal passwords, make the user automatically delete their account, and so on.
You will have to decide how much you trust Disqus and their partners, and gauge how sensitive the material on your site is, to come to a conclusion on whether this level of access is an acceptable bargain for the benefit of having a chat system for free. I'm a paranoid sort who can remember back to the days when TMRG (scorecardresearch) had their MarketScore spyware silent-installed in software bundles, so I'm not keen, personally.
If you're worried about this but still want to keep the chat feature, a potential workaround might be to include the chat in an iframe served from another domain that doesn't get scripting access into your main site domain.
As far as I understand beacon.js along with cookies does a bunch of tracking of visitors
Yep.
What does this report mean?
It's an automated vulnerability scan of the beacon service; it hasn't been processed manually to rate how much of a problem the detected issues actually are.
From the issues listed here we have the ability to inject unescaped HTML content into files from scorecardresearch.com. That would normally be an XSS vulnerability, albeit mitigated by the files that are being injected into being JavaScript files. So you could inject into scorecardresearch.com if you could make some visit that address using a browser that can be fooled into thinking the file is HTML by the presence of content like <html>
. This is 'MIME-sniffing' and it's typically more of a problem for older browsers.
In any case, this probably doesn't affect you. You are including the script from scorecardressearch into your site's security context, not using scorecardresearch's potentially-compromised own context. Including a file as a <script>
doesn't give MIME-sniffing any chance to misinterpret the string literal content as HTML, and there's no evidence of any holes in the script that would allow content to break out of the Javascript string literal (unescaped quote mark).
I work at Disqus and I feel the answers above are misinformed about how our application works.
Basically, our application is loaded almost entirely inside an iframe. This dramatically changes how your site is exposed to both our code and 3rd-party code.
Am I essentially giving scorecardresearch.com access to my users and user's cookies for my domain, since the script tag is on my page?
No. These scripts (beacon.js) are loaded in an iframe, on a document served from disqus.com (disqus.com/embed/comments). Because of the Same Origin Policy, this code cannot access your document, nor the cookies associated with your site's domain.
What does this mean? I assume they have the same power to parse my user traffic as, say Google Analytics.
It's possible that the beacon code, loaded in our iframe, could look at the document's referring URL (the parent page URL).
Could they use the Disqus cookies stored on my site to log in to a user's Disqus account or access Disqus on another domain somehow?
The Disqus cookies are not stored on your site; they're associated with disqus.com. So, yes, the script could potentially read and abuse the user's Disqus cookie. But this is highly unlikely – scorecardresearch.com/beacon.js is actually comScore – one of the largest web analytics firms.
What practical implication does that xss report have?
The answer above covers this well: https://security.stackexchange.com/a/26005/42794
But it's worth mentioning that Disqus serves Content Security Policy headers to prevent inline script execution, which greatly mitigates XSS attacks.
Consider completely stopping use of Disqus or any other social script/plugin that inserts scorecardresearch.com scripts as both scorecardresearch.com and voicefive.com scripts have been proven to cause never ending page loads and will negatively affect your SEO as Google likes to see pages that load fasts and scripts that are Asynchronous. Here is an article on why Scorecardresearch.com and voicefive.com are harmful. The more scripts you have the more problems.
http://techlivewire.com/2385/remove-scorecard-research-and-voicefive-from-wordpress.html