Hackers are now exploiting Google’s Analytics service to pilfer credit card information from infected e-commerce sites. The attack hinges on the premise that sites using Google’s web analytics service for tracking visitors have whitelisted the associated domains in their content security policy (CSP) CSP is an added security measure that helps detect and mitigate threats stemming from cross-site scripting vulnerabilities and other forms of code injection attacks. CSP allows webmasters to define a set of domains the web browser should be allowed to interact with for a specific URL.
Source: https://thehackernews.com/2020/06/google-analytics-hacking.html