Third-party JavaScript - more critical than ever

Discussion in 'other security issues & news' started by tlu, Jun 27, 2014.

Thread Status:
Not open for further replies.
  1. tlu

    tlu Guest

  2. gorhill

    gorhill Guest

    Adblock Plus would not have prevented the compromised script from loading in this particular instance, unless they had Fanboy annoyance enabled. The URL of the problematic widget on Reuters was:

    hxxp://cdn.taboola.com/libtrc/reuters-network/loader.js​

    The only block filter for this URL is in Fanboy annoyance, or EasyList Japan:

    ||taboola.com^$third-party​

    The only taboola-related filters in EasyList are element hiding filters. The only taboola.com-related filters in EasyPrivacy do not match the above URL:

    ||taboola.com^*/log/​

    Incidentally, hpHosts' ad servers list, which contains over 20,000 hostnames does contain cdn.taboola.com. I am using this list and so far I didn't notice much breakage. Although I can't enable this list by default just yet, at this point I could suggest users to enable it, with a warning about breakage, but then highlight that this would have stopped the compromised widget from affecting their browser.
     
  3. tlu

    tlu Guest

    That's good to know. And it didn't cause much breakage for me, either. (But the big hpHosts HOST file did.)

    Let's hope that MysteryFCM's editing will make it possible to enable it by default eventually. (And let's hope that his editing will also include the big hosts file.)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.