Most banks have given third party companies remote access to your online bank account, (via a remote code execution vulnerability).
When your browser downloads vulnerable banks' web pages, the banks' code tries to download further code from the third party servers directly.
Servers they do not own or control and this further code can do whatever it likes in the online banking page.
Perhaps: read login details, spoof login forms to grab passwords, fill out forms, click buttons, return data to their servers, send data to bank servers
Not known is whether an abuse of this vulnerability could trigger a social response; such as a bank run. If anyone has research on this please send to the appropriate public bodies.
A critical feature of information security, especially for financial activity, is non-repudiation - activity recorded is strong enough to hold up in court.