It's bad enough when you're actually serving the data from your own site but it's in some form where you can't audit it. That's one of the many reasons I hate Flash.
Until this morning when our webpage was only showing for a second and then the whole thing would then redirect to someone else's site. Adios, visitors.
(What actually happened: the domain we were including from, apparently expired and now any http request goes to a Network Solutions page, instead of returning a DNS error like it should. Fuck you, Network Solutions, as if we didn't already know you're evil and dangerous. But the same risk remains even if someone's domain doesn't expire; they can always serve a different script today than they did yesterday, and that script can do anything with the DOM that it wants to. There's no way to sandbox it.)
It's "standard practices" to include external scripts. Everyone does it. The ad people aren't techies; if I were to tell them, "uh, we don't want to include any external scripts that might change from load-to-load, and we also don't want to include any Flash crap unless we've compiled it from readable, auditable source ourselves," they would think I'm crazy. You know, one of those open source fanatics. They would say, "Gee, that's a shame you don't want the money," and go on sending the same dangerous ads to our competitors while we collect nothing.
Is it really an unreasonable weirdo religious fanatic position, to just want to be able to make sure that stuff will work and not do anything crazy? I don't think so. The fucking "standard practices" need to change, but how can one person do that? *sigh* I feel so powerless.