An analysis of 11 presidential campaign websites performed last September and again in December found multiple instances of potentially risky third-party code, unwanted code execution and unauthorized data tracking.

According to a new report from The Media Trust, 81 percent of executing code on these websites was not internally developed, but rather from external third-party vendors. (Which perhaps brings new meaning to the term “third-party” candidate.)

Third-party code is, of course, ubiquitous among websites in general and is essential for them to function. However, it is important that web developers know that they are pulling this code from trustworthy sources.

In that regard, every candidate website sourced third-party functionality from at least one suspicious domain, The Media Trust noted. And collectively, six percent of all executing third-party domains on these sites, on average, exhibited malicious or suspicious attributes that could signify a risk to campaign website visitors.

“…[T]hese domains could have a history of suspicious activity, mask their ownership, or be overtly malicious. Inability to verify domain ownership is a red flag,” the report states. “This type of obfuscation is basic tactic adopted by bad actors, as legitimate enterprises associate their brand and legal entity to their digital properties. In addition, several of these domains were traced to legal entities based in China — a major election security concern when it comes to misinformation.”

Roughly 69 percent of the executing code on the website for incumbent candidate President Donald Trump was created by third parties. This figure is lower than average; however, five of the executing third-party domains the site relies on are suspicious, as they could not be verified as legitimate.

About 78 percent of the executing code on Democratic frontrunner Joe Biden’s campaign website is from third parties, compared to 73 percent for challenger Bernie Sanders’ website. Biden’s website was found to extensively use cookies for tracking, with 24 observed in September and 298 in December. Meanwhile, five of the executing third-party domains that Sanders’ site relies on are suspicious, as they could not be verified as legitimate.

In addition to Trump, Biden and Sanders, The Media Trust also looked at the websites for Cory Booker, Julian Castro, Kamala Harris, Amy Klobuchar, Beto O’Rourke, Elizabeth Warren and Andrew Yang. Among the candidates who have dropped out, Klobuchar had the website that relies most heavily third-party code, used the most cookies (482 in September, 701 in December) and had the most number of potentially untrustworthy executing third-party domains (17).

The average candidate site relied on 89 domains from 54 vendors, the report noted.

The Media Trust also specifically looked at each campaign site’s donation process, and found that site visitors are essentially interacting with nine to 56 different third-party code vendors when they complete a donation transaction. On average, 71 percent of executing code on each candidate payment page has no relevance to the actual transaction.

“As a matter of best practice, campaigns should be vigilant to what executes on their candidate websites. That does not appear to be the case,” the report said.

SC Media has reached out to the Trump, Biden and Sanders campaigns for comment.