我们如何删除这个脚本注入器系统并清除内存中的函数?
简报)最近,Bigcommerce 的不法分子以“监控”为幌子创建了一个分析注入器 (JS),该注入器被锁定在全局变量中。他们在未经任何 OP 同意的情况下将其推广到所有 50,000 家前台商店。这会放入 2 个 JS 库,并为它们设置(纯代码)触发器来跟踪客户、行为和存储计划,将数据发送到共享的第 3 方分析平台。问题是,尽管他们运行代码,但他们不拥有在其领域之外的数千个域中放入此类第三方库的权利。有谁知道我们如何杀死这个+从内存中删除?他们这样做合法吗?
1)在共享全局中找到注入器%%GLOBAL_AdditionalScriptTags%%
在 HTMLhead.html 面板中,这意味着它不可访问。 AdditionalScriptTags 也是动态的,这意味着它会根据请求的页面加载不同的 JS 帮助器。由于这个原因,删除变量是不行的。
2) 注入器使用 PHP 端的各种 DSL 变量来构建其设置。这是它的样子<head>
当我以客户身份登录我们的商店浏览时。这为 2 个独立的库放置了 2 行,我将在下面定义它们(注意某些标记隐藏为 1234)
(function(){
window.analytics||(window.analytics=[]),window.analytics.methods=["debug","identify","track","trackLink","trackForm","trackClick","trackSubmit","page","pageview","ab","alias","ready","group","on","once","off","initialize"],window.analytics.factory=function(a){return function(){var b=Array.prototype.slice.call(arguments);return b.unshift(a),window.analytics.push(b),window.analytics}};for(var i=0;i<window.analytics.methods.length;i++){var method=window.analytics.methods[i];window.analytics[method]=window.analytics.factory(method)}window.analytics.load=function(){var a=document.createElement("script");a.type="text/javascript",a.async=!0,a.src="http://cdn2.bigcommerce.com/r6cb05f0157ab6c6a38c325c12cfb4eb064cc3d6f/app/assets/js/analytics.min.js";var b=document.getElementsByTagName("script")[0];b.parentNode.insertBefore(a,b)},window.analytics.SNIPPET_VERSION="2.0.8",window.analytics.load();
// uncomment the following line to turn analytics.js debugging on
// shows verbose events and other useful information
// analytics.debug();
var storeId = '123456',
userId = '921';
// initialize with Fornax and Segment.io
var providers = {
Fornax: {
host: 'https://analytics.bigcommerce.com',
cdn: 'http://cdn2.bigcommerce.com/r6cb05f0157ab6c6a38c325c12cfb4eb064cc3d6f/app/assets/js/fornax.min.js',
defaultEventProperties: {
storeId: storeId
}
},
'Segment.io': {
apiKey: '1sbkkbifdq'
}
};
var fornaxEnabled = false;
var segmentIOEnabled = false;
var isStorefront = true;
if (!fornaxEnabled) {
delete providers.Fornax;
}
if (!segmentIOEnabled || isStorefront) {
delete providers['Segment.io'];
}
analytics.initialize(providers);
// identify this user
analytics.identify(
userId || null,
{"name":"Test Dude","email":"[email protected] /cdn-cgi/l/email-protection","storeHash":"123456","storeId":123456,"namespace":"bc.customers","storeCountry":"United States","experiments":{"shopping.checkout.cart_to_paid":"legacy_ui","search.storefront.backend":"mysql"},"storefront_session_id":"6b546880d5c34eec4194b5825145ad60d312bdfe"}
);
})();
3) 输出库作为 2 个引用在<head>
正如您所看到的,如果您拥有/演示 aBC 商店,则相当不可触及:
<script type="text/javascript" async="" src="http://cdn2.bigcommerce.com/r6cb05f0157ab6c6a38c325c12cfb4eb064cc3d6f/app/assets/js/fornax.min.js"></script>
<script type="text/javascript" async="" src="http://cdn2.bigcommerce.com/r6cb05f0157ab6c6a38c325c12cfb4eb064cc3d6f/app/assets/js/analytics.min.js"></script>
我们怎样才能破坏注射器和这些跟踪器并阻止它们加载?有没有办法从内存中删除它们的功能?代表成千上万的 OP 和segment.io 发言,我们对此都束手无策。