What To Do When Bad Ads Get Past Your Safeframe Containers

by Andrew Reed, on Oct 26, 2021 9:00:00 AM

SafeFrames are a simple and effective way to prevent advertisers from enacting basic malvertising attacks on a publisher page, but more sophisticated attackers are still capable of escaping the sandboxing environment and exploiting your webpage.

Publishers and advertisers alike should look at SafeFrame as a necessary baseline security measure for any online publisher monetizing their site channels and looking to protect their ad content, but they are far from a final solution.

If you are experiencing persistent and frequent attacks from advertisers breaking out of your SafeFrame, the most common DIY approach is to try and track down these harmful ads yourself and add them to your block list.

But this can be time-consuming and difficult, and you get stuck in an endless cycle as malvertisers swap URLs to circumvent your block list. 

If you want to see a full-stop to your malvertising issues, you will want to partner with an ad security group that specializes in preventing more advanced forms of malvertising attacks.

And while most tools also rely on block-listing strategies, our cleanAD script is simply a single line of code that detects bad ads behaviorally. This means you are always protected, even when a new attack threat enters the ecosystem.


What is SafeFrame?

To get a full understanding of SafeFrames, we need to start with a definition of iFrames.

iFrames surround your ad slots and protect your webpage by preventing advertisers from interacting with the code on your site.

iFrame Container on a website

This is because iFrames load content from different domains, known as “cross-domain”, and basic browser security prevents content from different domains from interacting with or interrupting each other, known as the same-origin policy.

Essentially, iFrames work as windows on your site that display content from other domains. The ad stays inside the frame and is unable to interact with the publisher page on its own.


iFrame Window


The issue is that because advertisers are prevented from interacting with data and script on the parent frame (being the rest on the webpage the iFrame is placed in), iFrame restricts abilities to track viewability metrics, load rich media formats, or share user data advertisers may be interested in, blurring the effectiveness of the an ad campaign.

This is why the IAB introduced SafeFrame technology, being essentially an iFrame with an API, granting greater publisher control over security issues by allowing them to choose which kind of information is shared with advertisers.

An API (Application Programming Interface) is how all applications are able to communicate with each other, from email and texting, to databases and form requests.

By adding this functionality, advertisers can now have limited tracking capabilities while also being able to correctly shape and size their ads to fit the frame, something iFrames do not allow.

--Article Continues Below--

New call-to-action

--Article Continues Below--

How Malvertisers Get Around SafeFrame

SafeFrame is an API-Enabled iFrame, allowing you to protect your website from malicious JavaScript and harmful third-party vendors while still communicating some tracking and sizing information to the advertiser.

This sounds like a great solution to the shortcomings of iFrames, but there are still vulnerabilities that allow malvertisers to circumvent SafeFrame security.

You are still creating a line of communication that sophisticated ad code can abuse through cross-site scripting and other vulnerabilities found within your browser.

Beyond this, mobile web browsers often lack the features necessary for SafeFrames to work, which means your mobile traffic (which is often the most common form of web browsing) remains unprotected.

SafeFrame also does not directly report viewability metrics. The API-enabled iFrame only allows for access to information the advertiser can use to determine whether or not the SafeFrame container is "in view." Many advertisers will require more information about viewable content than this.

Adopting SafeFrame helps stop basic attacks, but users are vulnerable to malvertisers looking to steal personal email addresses, credit card numbers, and other personal information.


Tracking Down and Blocking Malvertisers

If you are looking for ways to protect your site without committing to an ad security group, exploring the front end of your site will be your best way of locating malicious ads.

Check out your site metrics and focus on pages with unusual numbers. Then take the time to engage with the ads on that page. If you discover an ad that is clearly disrupting your user experience or luring users into harmful phishing sites, you can add their URL to your block list and prevent that ad from appearing on your site. 

You may also consider using Charles web proxy, which tracks data being shared between your browser and other web servers/clients. This way you can see exactly what interactions on your webpages potentially harmful, and then block which ever URL is causing those interactions.

The issue is, most malvertisers are used to dealing with blocklisting, and can quickly swap out their URL to a brand new one, allowing them to sneak past your blocklist and continue serving you harmful ads.

You can, of course, then add the new URL to the blocklist, but you will quickly find yourself in a never-ending game of cat and mouse, needlessly using up priceless time, energy, and resources that could be spent on bigger picture issues, increasing operational costs.

Putting an end to malicious ads on your webpage means partnering up with experts who can protect your pages from harmful content.

--Article Continues Below--

New call-to-action

--Article Continues Below--


Partner With an Ad Security Group

Partnering with an ad security group means handing off all your malvertising woes to a team of experts who protects dozens of sites. 

Ads able to circumvent the API-enabled SafeFrame are far more complex and pervasive than a small team of ad operatives can handle on their own and outmatch current SafeFrame capabilities.

Most ad security groups work with you to help build a blocklist out of your own third-party attackers, and their ever-growing database of known malicious URLs. The issue with this approach is that you are left vulnerable to new attack types malvertisers turn to as old techniques become less effective.

Along with this, because the creative itself is being blocked, you are unable to earn ad impressions or revenue from advertisements on your blocklist.

At cleanAD, our unique script protects your site behaviorally and blocks ads at runtime. This means you are always protected from attacks, even when new ones enter the ecosystem, while also allowing you to still earn ad impressions on malicious creatives.

This not only is great for your overall ad yield but also creates a financial disincentive for malvertisers targeting your site.

If you are struggling with malicious advertising groups, and want to learn more about when our solution can do for you, you get in touch with a salesman and signup for a free 14-day trial here.


Topics:MalvertisingMalvertising 101Malvertising Solutions

Our blog

Where businesses come to learn more about protecting the points of digital engagement with their customers, audiences and users.

Subscribe to Updates