Malicious ads are serving exploit code to infect routers, instead of browsers, in order to insert ads in every site users are visiting.

[...]

The way this entire operation works is by crooks buying ads on legitimate websites. The attackers insert malicious JavaScript in these ads, which use a WebRTC request to a Mozilla STUN server to determine the user's local IP address.

[...]

Researchers say they've seen attackers open administration ports for 36 routers of the list of 166 router fingerprints.