The application is loaded over an HTTPS connection but it loads resources over an unencrypted connection, in HTTP. If an attacker is strategically positioned between the victim and the applications it can eavesdrop all communications between them. In this case, it would only be able to eavesdrop the resource loaded over HTTP, but it could modify its contents to affect other parts of the application, even if they are loaded over a secure connection.
All resources present in the page must be loaded over HTTPS, including those served from third-party services, such as those used for analytics.
Resources provided by third-parties are normally available over HTTPS, and most of the times is just a matter of replacing
https. However, you should always consult the documentation of the service to ensure you are loading the resource from the proper URL.
For resources that are not available over HTTPS, you can create a HTTPS reverse proxy that loads the resource with HTTP and serve it over HTTPS.