Oh I think you should do much more than just removing the clicks-value from the DOM because you should NOT have a write-access-token made public.
Anybody could use it to write anything to your collection.
Instead you might want to create a custom endpoint like
/api/public/click
that only expects the banner._id as a parameter and increments the counter on call instead of setting the clicks field value directly.
In addition you might plan on using a NONCE/csrf-token in order to make sure nobody is flooding your API with false “click” counts.
Just a thought.