search

prebid / Prebid.js

Setup and manage header bidding advertising partners without writing code or confusing line items. Prebid.js is open source and free.
https://docs.prebid.org
Apache License 2.0
1.28k stars 2.05k forks source link

Header Bidding and Malware #2646

Closed headerbidding closed 6 years ago

headerbidding commented 6 years ago

I am having malvertising issues and just found this through a google search:

"Actually with header bidding each ad network can in theory execute any javascript they want even before they win or if they don't win at all. This is because most header bidding adapters execute at least some javascript from the ad network. See pulsepoint for example: https://github.com/prebid/Prebid.js/blob/fd7ae19b65da98599590914ee310157c66dd6780/src/adapters/pulsepoint.js#L12 It will always load and execute tag-st.contextweb.com/getjs.static.js no matter if they even bid. This javascript can then do a simple redirect of the top page."

Is this true?

From: https://www.reddit.com/r/adops/comments/6gimey/header_bidding_full_of_malware/

Deimos01 commented 6 years ago

External JS or libs from SSPs are not the source of redirects. Redirects are coming from the winning ads rendered on the page. Some sneaky JS codes are hidden in the creatives and unfortunately there is no magic solution to avoid them. You should take a look to this long issue.

headerbidding commented 6 years ago

Thank you. This is good information! I have raised the bid floor to $1.00 for all bidders. I hope this will keep the bad guys away.

mkendall07 commented 6 years ago

as of prebid 1.x, the referenced behavior (loading external JS by bidders) is not allowed.

headerbidding commented 6 years ago

Thank you. That's good to know!