question about strange js and connections from browser

Hello,

I'm not sure this is the right place to post, but this forum seemed to be the closest I could find to what I was looking for. I apologize in advance if this is in the wrong place.

I use seamonkey 2.26 for a browser and I have lately noticed something strange. When I visit the website for one of my credit cards, I need to let noscript allow temporary js permissions for the domain. After I allow the temporary permissions, there are then two additional IP addresses (not domains) that are listed as wanting to run js. The odd thing is that the addresses are local host (127.0.0.1) and my own IP address from my ISP. It would appear that something at my IP address wants to run js on the webpage from my credit card and this makes no sense. I am not running any servers here.

Even more strange, I also get a popup from my firewall (Comodo ISP) saying that seamonkey wants permission to connect to the same IP address. This is a TCP connection at a port other than 80, so it's not normal web traffic. Why would seamonkey want to connect to the computer that it's running on at some random port? What would it be connecting to? Again, I'm not running any server process that a client app would normally connect to (sshd, ftp, Apache, etc).

A while ago I remember that when I would start seamonkey, I would get a prompt to allow a cookie to be set from my IP address. This also seemed odd. What would there be at my own IP that would be running code and try to set a cookie in my browser? That issue went away and I haven't run into it since.

I would like to know if anyone has any idea what is going on here and can provide me with some information. If this is not the right place to post a message on this topic, I would appreciate a push in the right direction.

LMHmedchem

 

Hi, if you give us the CC www link we can check it on our browsers.

 

This is the site,

https://www.capitalone.com/

I am in a different profile at the moment, but I still get the noscript entries.

LMHmedchem

 

Can you post a screenshot of the two additional js local host (127.0.0.1) IP addresses

I'm wondering if you have for eg, Trusteer Rapport installed ?

 

I use Chromium and I also see the same thing. Here are the URLs (these are XmlHttpRequests):

https://[my ip address]/NonExistentImage16368.gif
https://127.0.0.1/NonExistentImage15486.gif

Looks like the site is doing some tests to see if your connection is intercepted? The expected result is failure, and I suppose that would raise a flag if the answer to the above requests wasn't a failure.