If the third-party application has the ability to access the true DOM of a page, then it can log the user’s keystrokes. The severity of this attack can range from a simple nuisance all the way to a major security issue if the root page contains password fields or user-specific information.
A probable attack vector for this type of code is to capture the user’s username and password fields. Since a password field would prevent direct access to its value, logging the user’s keystrokes can provide the attacker with all of the information he needs.
For instance, say we have a site that hosts third-party code. On this site, you have a username and password field to allow you to log in. Should this third-party code attach a keypress event on the body of the root page document, then it can log any keys that you press while you are on the page.
This type of attack can be perpetrated by any script that can essentially “phone home” by accessing the parent page that it is being presented on, much like the following sample: