The information end users enter on their client-side (such as ID numbers, addresses, credit card numbers, contact information, and so forth) may be exposed to third-party services embedded in the applications. These are automatically trusted by the main application but are rarely monitored, even though businesses make every effort to protect customers' personal data on their application environments. When a visitor initially sees a page, a typical application loads dozens of different third-party JavaScript services (such as Tranzila, Google Analytics, and Outbrain).

These services, which are also known as the application supply chain, might occasionally even rely on a separate supply chain consisting of services provided by third- and fourth-party providers.