CODEWITHSUNDEEP
javascriptsecurityiframemalware
Lucas M
Lucas M

Reputation: 159

Vimeo Iframe injecting adware?

I have uBlock origin installed (basically adBlock) and started noticing some weird requests blocked on my console:

enter image description here

I checked up on what "scorecardresearch" was and turns out its a less than trustworthy source of adware/possibly malware.

Since I was getting isolated incidents on my website, I dove into my source code and noticed that it was being requested by the Vimeo video iframes (I confirmed this by removing them all and the requests stopped).

Unfortunately, these are an important part of our website. Does anyone know why/how Vimeo iframes are causing this problem?

Upvotes: 5

Views: 840

Answers (2)

Anders Marzi Tornblad
Anders Marzi Tornblad

Reputation: 19305

Even though your original question only asks "Does this happen? Why/how does it happen?", I am taking the liberty of answering a follow-up question, namely:

How can this be avoided?

If the code for your site renders Vimeo iframes for playing video, you can tell Vimeo to not use tracking beacons or cookies, by adding &dnt=1 to the iframe url. Unfortunately, this is not possible using the Vimeo.Player constructor options, so you have to create the iframe manually – either in HTML or in JavaScript.

/* This will not work: */
let player = new Vimeo.Player('player_div_id', {
    id : '1234567',
    dnt : true
});

/* Instead, create the iframe yourself: */
let iframe = document.createElement('iframe');
iframe.setAttribute('src', 'https://player.vimeo.com/video/1234567?dnt=1');
iframe.setAttribute('frameborder', '0');
// set other attributes...
parent_element.appendChild(iframe);
let player = new Vimeo.Player(iframe);

/* Or have the iframe in the server-generated HTML and just: */
let iframe = document.getElementById('playerframe');
iframe.setAttribute('src', 'https://player.vimeo.com/video/1234567?dnt=1');
let player = new Vimeo.Player(iframe);

If you are embedding Vimeo content that you have created yourself, this probably reduces the usefulness of the video statistics, but at least you will not expose your users to third-party tracking!

Upvotes: 0

bobince
bobince

Reputation: 536369

scorecardresearch.com is a tracking service.

The reason it is associated with malware is because it is owned by comScore, who also operate the MarketScore spyware (aka Netsetter, Relevant Knowledge, PremierOpinion, PermissionResearch, MySHCCommunity). In the past, MarketScore was stealthily bundled with third-party applications such as file-sharing apps, leading to it being considered unwanted and generally malicious.

This particular tracking site is widespread on major sites and has not itself been seen to spread malware. Vimeo are unlikely to know or care about comScore's background in unsolicited commercial software. (Let's face it, most of the major players in online advertising have some pretty shady stuff in their pasts.)

Generally if you want to have video on your site but don't want a third party tracking your users across sites, you'll have to host the video yourself.

Upvotes: 3

Related Questions