Re: Why do browsers allows JS from other domains to run
VbV is just dire - it encourages users to accept bad security practices (shedloads of dodgy named third party .js components) - looks exactly like a scam site.
Just because you take payments does not mean you need the VbV site.
You could (https obv) get customer card details yourself (transiently) with no need for third party code and call your payment provider server side (in the way that desktop apps do and are happily PCI DSS compliant)
Obviously that way all the onus is on you to keep your site secured as when you "offload" to 3rd party VbV page then some liability on them, so you need a good security focus (CSP will become your friend) - You could go further andwrite your site old school and have Zero JS and security settings not allowing any JS at all (that would get the hipster web devs choking on their 10 word coffees)