Description-Behavior Mismatch
Low
- Confidence
- 95% confidence
- Finding
- The preview HTML loads executable JavaScript from a third-party CDN, which means rendering depends on remote code outside the repository's control. If the CDN content is compromised, tampered with, or swapped unexpectedly, anyone opening the preview could execute untrusted script in their browser.
