Technically yes, it's a security risk. Allowing a third party to execute arbitrary JS means they could steal session cookies, which could allow them to log in, for example, as an admin. You're trusting that the advertiser's JS doesn't contain anything harmful, or that something harmful won't be inserted at some point in the future.
I vaguely recall reading that you can protect against this by loading the third party JS in a frame. Your parent frame JS can invoke the third party code, but the third party JS can't escape it's frame. There may be more to it than that, and I may be mis-remembering as well, but that should give you something specific to research.