For information, the owner of the site was able to resolve the problem.
I'm both pleased to have put him on the right track and sad that it wasn't avast that pointed out the problem.
In the meantime, avast has made him take security risks, not only for himself as an avast customer (the last straw) but also for all visitors to his site, especially those who don't use avast.
For the record, the third-party script on IconStaff.top was unhealthy (hacked?) He rebuilt his site by removing this script and now avast no longer alerts.