Just saw from a tweet that NZ Herald is vulnerable to a XSS attack. Example here.
The thing is, the vulnerability was disclosed almost thirteen months ago. Note that all the examples in that blog post are now fixed. Which means that obviously APN has not updated their ad platform in the last year or so.