Insecure third-party scripts
They haven't locked down their web app JavaScript includes: Facebook, Hotjar, Amplitude, Google, and others have access to your production SSL keys, code, passwords, etc.
It's a quick smell test for whether a company actually cares about security: what third-party scripts are included in their "secure" web page areas. The default web developer doesn't know better, and it is hard to lock down third parties (best solution is to avoid unnecessary third-party shit like analytics, also can use iframes or more complex solutions like caja).
This guy asked them about this issue 2 years ago, and apparently they haven't done anything much about it which signals CircleCI's security is poor: https://kevin.burke.dev/kevin/circleci-is-hopelessly-insecure/