I recently created a statically generated site for a friend. Today I was surprised when she emailed and said the site was riddled with ads. She has likely been the victim of ad injection. And since she was not using an unprotected network, it's likely caused by some spyware that she unintentionally installed.
Now I read a recent report by Google that claims that this is a big problem, 5.5% of their users had injected ads. Naturally, I don't want the users of my website to see crappy ads next to my content.
How can we stop ads from being injected on the client side? Specifically I want to stop ads being injected by viruses and web browser extensions.
If it's impossible to stop ad injection, can we at least detect ad injection and warn the user?
To clarify, I am looking for a library, API or other client side technology that let's me provide a decent protection against ad injection.
It's not possible to solve this issue by your server side programming . but don't worry about it, Google Chrome, Mozilla & other browser working on this.
Google has identified and disabled 192 Chrome browser extensions that injected rogue ads into Web pages opened by users without being upfront about it. The company will scan for similar policy violations in future.
The action followed a study that the company conducted together with researchers from University of California Berkeley and which found that more than five percent of Web users who accessed Google websites had an “ad injector” installed.
The deceptive Chrome extensions were detected as part of that study, but the researchers also found ad injectors affecting browsers such as Internet Explorer and Mozilla Firefox, on both Windows and Mac OS X.
Google doesn’t specifically ban extensions published on the Chrome Web Store from injecting ads into Web traffic, as long as they clearly inform users about what they do, but the study found that around a third of extensions with such functionality were actually malware.
Related
The issue I am currently having is when trying to generate a performance report with google lighthouse and/or page speed insights for mobile devices. on desktop emulation I am getting a score of 99 but through mobile emulation it is not even detecting an FCP event. when actually viewing the site on mobile however, it is very responsive and quick to load. I'm not really sure why this may be the case and am not aware of any potential solutions. The only suspicion i have is that the site is not 'optimized' for mobile, as it is the exact same site for desktop just with layout adjustments using JS and CSS. The following image is of the localhost report (https://i.stack.imgur.com/13XnB.png)
to clarify this happens both locally and when hosted.
Things I have tried include:
lazy loading image assets with react-lazy
removing all 3d assets from the site temporarily (react-three-fiber)
trying other analytics tools such as webpagetest (this was able to successfully generate a report and indicate the performance on mobile was not bad)
async load all Api integrations such as google analytics, google reCAPTCHA
pre-connect to all 3rd party resource URIs
I have a website and I need to know which device is used by my users.
Is there a way to know which device is used by a user on a website?
I know some website like webkay.robinlinus can demonstrate all a browser knows about a user.
The best will be to have the device (iPhone/Android) and the type of iPhone (8/XR,etc..) would be perfect.
Thank you for your advices
Is there a way to know which device is used by a user on a website?
No, there is not - this is by-design and is to protect the privacy of web users.
What you can do is use long-life'd cookies or use localStorage to track users on your own sites (origins) - though you'll need to ensure you comply with relevant privacy laws in your jurisdiction.
For web-applications accessed from a desktop browser, you can ask your users to manually download and install software that would run a broker-process or other helper utility that runs a webserver on localhost which your web-application could communicate with to identify the client - but be very careful as this may introduce security and privacy risks and vulnerabilities. This approach is used by Dell to allow their website to read your computer's Service-Tag through the web-browser, and by some of Microsoft's support websites as well. But I stress the importance of exercising extreme caution when implementing this because you don't want other websites or applications using your client-side program.
var x = "User-agent header sent: " + navigator.userAgent;
Send navigator.userAgent in the head tag
This saves the device and browser of the user
For More Reference Check W3schools
https://www.w3schools.com/jsref/prop_nav_useragent.asp
I'm facing a problem with my Chrome on both Ubuntu 15.04 and Windows 10. It's some sort of malware named xnxx-ads.js. This malware opens unwanted tabs and plays advertisement audio on all sorts of pages. For instance, I might have a SO tab open with a speaker icon! playing ad.
The thing that is important to me (as a web application developer) is that how this malware works!? How can some script be loaded on a web page without it being addressed in the source? Is it because of a security hole in Google Chrome?
BTW, my Chrome is: Version 46.0.2490.86 (64-bit) on both operating systems.
[UPDATE]
My Chrome was just updated to Version 47.0.2526.73 (64-bit) and the problem remains.
To get mal-ware inserted into pages, you generally need one of these things:
If it is only on a specific site, it is possible that that site has been compromised and the content comes from the site already infected.
Something in your ISP is compromised and the content comes from your ISP already infected.
Something in your own network (e.g. router) is compromised and the contents arrives on your PC already infected.
A malicious program got itself installed on your computer and it is injecting things into web pages as they arrive on your computer (either by modifying the incoming TCP or by messing with the browser).
A malicious browser extension got itself installed on your computer and it is injecting things into web pages as the browser loads them.
The most likely options are 4 and 5.
You can probably rule out 1, 2 and 3 by checking the site on your phone or tablet while attached to your home network's wifi. If there is no infection on the web pages viewed on the phone or tablet, then it is not likely 1 or 2 or 3.
If you disable all browser extensions in Chrome and the problem still occurs, then you can probably rule out #5. If the problem goes away when you disable all browser extensions, then you probably have a bad browser extension.
In all cases, you should run a good malware detector. When something like this happened to my daughter's computer, Microsoft Defender did not detect it, but when I downloaded and ran the free Malware-Bytes scanner, it did find the problem and removed it.
I am trying to open www.exoplatform.com with Chrome Version 39.0.2171.71 m.
All I get on the screen is Javascript code. Tried to open with different browser, the same story.
Tried to open with other notebooks, works perfectly fine.
Any idea what could be the problem?
Some errors from chrome console:
Uncaught SyntaxError: Unexpected identifier
(index):2244 Uncaught TypeError: undefined is not a function
all.js:61 Invalid App Id: Must be a number or numeric string representing the application id.
Refused to load the script 'https://www.best-deals-products.com/ws/sf_main.jsp?
dlsource=hdrykzc' because it violates the following Content Security Policy directive:
"script-src 'unsafe-inline' 'unsafe-eval' 'self' https://*.gstatic.com
It sounds really weird.
I can open any other web sites, but just this one.
For example I can open:
http://blog.exoplatform.com/en/
I tried to pause Adblock nothing changes.
Any ideas?
I had this exact problem today with a new laptop I bought (Lenovo y50... is your machine a lenovo by chance?)
Anyways, the problem for me was caused by what is essentially adware injecting that script into ANY page you go to. You only see this error when trying to access a web app, because chrome has stricter security policies for those.
If you google about best-deals-products.com you'll find information about how to remove the adware, most of which is pretty unhelpful. Here is what did it for me though:
go to control panel -> add and remove programs
look for "Visual Discovery" by Superfish Inc.
uninstall that.
reboot, and revisit that page.
It has been revealed that many of the Lenovo computers are shipped with a software called "Superfish" which performs man-in-the-middle attack on all HTTP, and even secure HTTPS request using a self-signed SSL certificate.
Furthermore, thanks to the ignorance of the company behind it, the private key included has already been extracted, ready to be used in public to intercept any HTTPS traffic coming from a Lenovo computer.
That means, even for banking or transactions, any attacker can read the supposedly secure content by sniffing your Wi-Fi signal. This is a very hazardous situation.
You can check out if you're vulnerable here. Lenovo issued an instruction to remove the software and the certificate here.
The Google trusted store badge in not showing across browsers and platforms.
I can get it to show in Safari Mac but not Chrome or Firefox Mac.
I can get it to show in IE Win and Firefox Win but not Chrome Win.
I went through Google's implementation tips.
Doctype checks out.
Google's Tag Assistant validates on the page.
The test, Test Drive, of the js implementation in Trusted Stores works fine.
robots.txt is also delivered under ssl.
Any ideas?
Google response:
We are writing to you because we noticed a posting your team made asking about the Trusted Stores badge visibility on your site.
I can confirm that your account, qxxxxxxxxxxxxxe.com, is in good standing. The badge is not displaying for half of users due to a few-week experiment we are running with all merchants in the program.
We run experiments from time to time, as we are always looking to improve the user experience with your site and the program. For example, we have made improvements to the badge design and behavior, such as only opening the flyover on click (instead of mouseover).