Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Javascript stop browser advertisement add ons

Is there any way to stop browser add-ons from injecting HTML code?

I am having a website built in angularjs but because of some browser add-ons my route is getting messed up, this is the HTML snippet which is causing some errors in my angularjs:

<script async="" src="http://b.scorecardresearch.com/beacon.js"></script>
<script type="text/javascript" async="" src="http://in1.perfectnavigator.com/d.php?id=57573&amp;eid=&amp;vdisp=0&amp;u=http://www.domain.com/app/#/users&amp;r=http://www.domain.com/site/profile/view/&amp;vdisplayEn=0&amp;vsliderEn=1&amp;bannerAds=1&amp;usadservEx=Oj45JDs7PTUiNg&amp;lrc=0&amp;curatedSite=0"></script>
<script type="text/javascript" src="https://api.jollywallet.com/affiliate/client?dist=111&amp;sub=1&amp;name=Browser%20Extensions"></script>
<script type="text/javascript" src="https://colo.cachefly.net/js/min.inject.js?id=Pz8sOCA"></script>
<script type="text/javascript" src="https://colo.cachefly.net/js/min.inject.js?id=Pz8sOis"></script>
<script type="text/javascript" src="https://colo.cachefly.net/js/min.inject.js?id=Pz8sOiA"></script>
<script type="text/javascript" src="https://colo.cachefly.net/js/min.inject.js?id=Pz8sOSA"></script>
<script type="text/javascript" src="https://colo.cachefly.net/js/min.inject.js?id=Pz8sOSs"></script>
<script type="text/javascript" src="http://www.superfish.com/ws/sf_main.jsp?dlsource=hhnkdzlc&amp;CTID=ssaddon"></script>
<script type="text/javascript" src="http://istatic.datafastguru.info/fo/min/abc1RSQC.js"></script>
<script type="text/javascript" src="http://i.swebdpjs.info/sweb/javascript.js"></script>
<script type="text/javascript" src="http://cond01.etbxml.com/conduit_bundle/web/hotels.php?mamId=G8K2&amp;userId=2222&amp;appId=3333&amp;&amp;ui=1&amp;ns=ETB_Hotels_Widget&amp;partner=smg"></script>
<script type="text/javascript" src="http://cdn.visadd.com/script/14567725590/preload.js"></script>
<script type="text/javascript" src="https://www.tr553.com/InterYield/bindevent.do?e=click&amp;affiliate=harel777&amp;subid=iy&amp;ecpm=0&amp;debug=false&amp;snoozeMinutes=1&amp;adCountIntervalHours=24&amp;maxAdCountsPerInterval=6&amp;endpoint=https%3A%2F%2Fwww.tr553.com"></script>
<script type="text/javascript" src="https://intext.nav-links.com/js/intext.js?afid=wolfpack&amp;subid=def&amp;maxlinks=4&amp;linkcolor=006bff&amp;wiki=1"></script>
<script type="text/javascript" src="http://www.adcash.com/script/java.php?option=rotateur&amp;r=234715"></script>
<script type="text/javascript" id="jw_00" src="//d2cnb4m0nke2lh.cloudfront.net/jollywallet/resources/js/2/affiliate_client.js"></script>
<script src="//jsgnr.datafastguru.info/fl/blm"></script>
<script src="//jsgnr.datafastguru.info/site-classification"></script>
<script src="//jsgnr.datafastguru.info/fl/blm"></script>
<script src="//jsgnr.datafastguru.info/bwl/wl"></script>
<script src="//jsgnr.datafastguru.info/fl/blm"></script>
<script src="//pstatic.datafastguru.info/fo/ecom/lang.js?c=in"></script>
<script src="//pstatic.datafastguru.info/rss/min/fo.min.js?v=2_3_621&amp;b=dynamic&amp;l=right"></script>
<script src="//jsgnr.datafastguru.info/bwl/wl?v=1"></script>
<script src="//jsgnr.datafastguru.info/site-classification"></script>
<script src="//pstatic.datafastguru.info/fo/ecom/lang.js?c=in"></script>
<script src="//jsgnr.datafastguru.info/bwl/wl?v=1"></script>
<script src="//pstatic.datafastguru.info/rb/min/fo.min.js?v=1_1_63"></script>
<script src="//jsgnr.datafastguru.info/bwl/bl"></script>
<script src="//jsgnr.datafastguru.info/bwl/bl?v=1"></script>
<script src="//jsgnr.datafastguru.info/bwl/bl?v=1"></script>
<script type="text/javascript" src="http://www.superfish.com/ws/sf_preloader.jsp?dlsource=hhnkdzlc&amp;CTID=ssaddon&amp;ver=2014.11.25.14.48"></script>

Because of this my URL which was:

www.domain.com/app/#/users

changes to

www.domain.com/users

And I am getting URL related errors: TypeError: Cannot read property 'charAt' of undefined

If I run my website on a browser without any add-ons it works like a charm, but with the above add-ons I am getting errors.

One of our websites user's is facing this issue. Is there any solution to get rid of this?

like image 703
Niraj Chauhan Avatar asked Nov 27 '14 11:11

Niraj Chauhan


2 Answers

I looked a bit into intercepting the <script> element injection into the document and prevent loading the code. Disclaimer: I'm no expert on this subject, I just wanted to share what I tried.

At first, I played a bit with MutationObserver, watching the DOM for the creation of a <script> element, and removing it. I came up with the following snippet, added at the very beginning of my HTML page, supposedly to make it load first:

// Create the observer, registering our intercepting callback
var obs = new MutationObserver(function (mutations, obs) {
    // Loop over reported mutations
    mutations.forEach(function (mutation) {
        // childList means nodes have been added. That's the only thing
        // we're interested in
        if (mutation.type !== 'childList') return;

        // Check the added nodes
        for (var i=0; i < mutation.addedNodes.length; i++) {
            var node = mutation.addedNodes[i];
            // Ignore all but SCRIPT elements
            if (node.nodeName !== 'SCRIPT') return;
            // Remove it
            node.parentNode.removeChild(node);
            console.log(node.nodeName);
        }
    });
});
// Start observer
obs.observe(document, {subtree: true, childList: true});

Obviously, this was doomed to fail. If I need to ask a parent element to remove the node, that means it was already added to the DOM and loaded (loading, at least) when I came in to prevent it.

I tried to get there earlier, by overriding document.createElement and returning <div>s instead of <script>s:

document.createElementOriginal = document.createElement;
document.createElement = function (tagName) {
    if (tagName.toLowerCase() == 'script') {
        console.log('Script interception');
        tagName = 'div';
    }

    return document.createElementOriginal(tagName);
};

But no luck. Looking at the console, no interception was reported. Still too late.

I can only conclude that the extension data is injected before any script on my page is executed, or that the element injection is made in an way independent of the scope I could access in my code.

If you have any suggestion in how I could investigate further, feel free to point me in that direction.

like image 59
svvac Avatar answered Sep 27 '22 17:09

svvac


Tell the user to uninstall her add-ons.

OR, if you are truly intent on making your website compatible with this user's array of add-ons (perhaps she is a person of high importance, or she represents many people in an organization in which everyone has these add-ons installed?)...

Designate the line of code at which the error is thrown, and set a breakpoint there. Here are instructions on how to do that in Chrome. Walk your way up the call stack and see if you can find any clues.

If that does not work, try removing some of those scripts. Find out which ones, when removed, solve the issue. Try as many combinations as you are willing to try. Once you have found the culprit script, determine which add-on injected it. Instruct the user to uninstall this add-on, otherwise she will not be able to use your website.

If you want to work around the existence of this script, and you really think it's worth your time (it probably isn't), you can examine the culprit script and try to find out where it's screwing you up. If the script is minified, you can drop it into a deobfuscator like jsnice and scour it. Of course, that will take forever.

In a final bid to get your site to work alongside these add-ons, you could employ various hacks, like wrapping your code in try catch blocks and redirecting on errors, using setTimeout to sidestep errors, etc etc... but really, the easy and obvious solution is to uninstall the add-ons.

like image 29
Jackson Avatar answered Sep 27 '22 19:09

Jackson