Comment by cogman10
5 days ago
Sure, but that's ultimately a pretty unlikely attack vector. An attacker still needs to exploit some unknown vulnerability of your web browser in order to get something malicious going.
I basically expect that sort of attack to only be pulled off by a state actor or by a black hat convention for the lolz.
ISPs used to inject ads into HTTP-served pages as recently as 10 years ago, I personally remember that. Not only tiny ISPs. I'm not alone: https://superuser.com/questions/902635/isp-is-inserting-ads-...
Ads injection is a relatively benign kind of tampering. It could be much more creative and sinister.