All embedded plunks are spreading malware on click due to domain parked CodeFund CDN `<script>`

[boghyon]

1. Open a new browser window in Guest mode (== fresh new browser with default settings and no extensions)
2. Go to https://embed.plnkr.co/
3. Simply click somewhere (not the "Preview" iframe)

The embed.plnkr.co currently serves the following two scripts:

<script type="text/javascript" src="https://cdn2.codefund.app/assets/px.js?ch=1"></script>
<script type="text/javascript" src="https://cdn2.codefund.app/assets/px.js?ch=2"></script>

They both attempt to add the following click handler:

if (typeof _popwnd == 'undefined') {
   var _popwnd = -1;
   function _popwnd_open(){
       if (_popwnd!=-1) return;
       _popwnd = window.open('http://iyfnz.com/?dn=codefund.app&pid=9PO755G95', '_blank', '');
       _popwnd.blur();
       window.focus();
   }
};
window.addEventListener('click', _popwnd_open);

On 30. June 2020, there was an announcement that CodeFund is shutting down: https://web.archive.org/web/20200630235914/https://codefund.io/ Now that CodeFund is gone, all webpages using the above CDN address serve ads on click thanks to Skenzo Ltd. parking the domain codefund.app and spreading ads and possibly malware.

I think referring to remote scripts without integrity="<hash>" is not a good approach.

TL;DR

Please remove codefund CDN addresses and make use of integrity for all remaining remote scripts if applicable.

[boghyon]

@ggoodman Seems to be fixed. I can't find the codefund references anymore. So the malicious click handler is also gone. Thanks!

[ggoodman]

Oh gosh. I can't believe I missed this issue. Indeed, that slipped through the cracks with an ad locker running in my browser. Thanks for reporting ❤️.

[boghyon]

@ggoodman The issue is reproducible again! This is categorized as malware by my employer.

This is very urgent.

[ggoodman]

Hi @boghyon, I've redeployed the embedded site with the remaining pixel references removed.