The web application was found to include JavaScript hosted on third party servers within the application:

https://ajax.googleapis.com/ajax/libs/chrome-frame/1/CFInstall.min.js

Any third party scripts could therefore potentially be used by a third party in order to gain full access to a users account and their data within the application.

Scripts should not be included from untrusted domains. Where scripts produced by a third party are required they should be first reviewed and then copied to and maintained on the server hosting the application.

dotCMS requires this script in order to provide backward compatibility for older IE browsers.  In this case, we treat ajax.googleapis.com as a "trusted" domain.