0

We've started tracking JavaScript errors on our website and see some interesting things coming from users. There have been a lot of legitimate bugs which we've worked to patch up, but one thing we saw recently is what looks like an adware plugin from Shoppingate apparently injecting some code into our site. Is there any way to capture this input and block it on our end so it doesn't degrade the user experience?

In this case we get a Script error. and a one line stack trace:

https://inst.shoppingate.info/js/sg_bg.js?AFFILIATE_ID=crsrdr&SUB_DISTRIBUTER_ID=300246822525000000&BRAND_DISPLAY_NAME=Browsers%2B%20Apps%20%2B:0:0:in `?'
lobati
  • 9,284
  • 5
  • 40
  • 61
  • any examples you could offer ? – Pogrindis Mar 18 '15 at 18:17
  • added what little we got from our error tracker. I was a little worried it might get flagged as spam. – lobati Mar 18 '15 at 18:33
  • In this case it's a browser extension injecting the code. There isn't a whole lot you can do about it. Here's a related question: http://stackoverflow.com/questions/12494456/protect-against-browser-extension-injected-javascript-code – Kevin B Mar 18 '15 at 18:35

1 Answers1

1

Ultimately there isn't much you can do to prevent code injection done from the client side either explicitly by the user or by an extension. You need to make sure your server code is secure and account for errors. Maybe displaying a message to the user.

It's hard to say without knowing the error, but what you could try to solve this specific problem (again, depending on the error you are getting) is to check for DOM elements created by this specific extension and remove them.

You could also verify if this extension is replacing any function of yours and reload your code on top of it. But I believe it's only worth the trouble if you are getting this problem a lot. The simplest solution in the end might be to detect it and display an alert to the user asking him to disable it.

lbrandao
  • 4,144
  • 4
  • 35
  • 43