GDPR distinguishes between the "Controller" and "Processor" for data. A Controller has the most responsibility under GDPR. A Processor has separate responsbilities, and generally fewer of them.
In your example, Site X would be the Controller. Google or Facebook may be a Processor, or they may not be involved at all. If the JavaScript in question sends data to Facebook/Google then they are a Processor, whereas if it's purely a client-side library or something that helps Site X send data to itself then the situation is more ambiguous.
Vendors could arrange the relationship in such a way as to be joint controllers instead of processors if they wanted to. Most companies seem to want to avoid this set-up if possible.
In your example, Site X would be the Controller. Google or Facebook may be a Processor, or they may not be involved at all. If the JavaScript in question sends data to Facebook/Google then they are a Processor, whereas if it's purely a client-side library or something that helps Site X send data to itself then the situation is more ambiguous.
Vendors could arrange the relationship in such a way as to be joint controllers instead of processors if they wanted to. Most companies seem to want to avoid this set-up if possible.