Does SafeFrame Work Against Malvertising?

by Nick Carlson, on Oct 12, 2021 9:00:00 AM

Protecting your website from malvertisers and bad ads is crucial to your user experience, site metrics, and overall ad yield.And while the malvertising ecosystem is vast and complex, there are a couple of DIY solutions that offer reasonable protection from basic advertising attacks.

If you are publishing over Google, which you more than likely are, many of these security features come with the platform, including SafeFrame, a secure API enabled iFrame that allows communication between an advertiser’s ad, and the website they are publishing on.

But even with this type of security, there are still vulnerabilities that sophisticated bad actors are able to exploit, and will be able to redirect users, steal private information, or serve intentionally deceitful content with malicious JavaScript.


What is SafeFrame?

To fully explain what SafeFrame is and how it works, we need to start with an explanation of iFrames.

iFrames are the space on your webpage that ads are served into, and protect your webpage by preventing advertisers from interacting with the code on your site.

This is because iFrames load content from different domains, known as “cross-domain”, and basic browser security prevents content from different domains from interacting with or interrupting each other, known as same origin policy.

Essentially, iFrames work as windows on your site that display content from other domains.

SafeFrame Window

The issue with iFrames is that because advertisers are prevented from interacting with data and script in the parent frame (being the rest on the webpage the iFrame is placed in), they are also unable to track viewability metrics and other tracking data that allows them to know how their ad is performing.

This is why SafeFrame is introduced by the IAB, and is essentially an iFrame with an API, allowing advertisers to request data without needing access to a publisher’s webpage.

An API (Application Programming Interface) is how all applications are able to communicate with each other, from email and texting, to databases and form requests.

By adding this functionality, advertisers can now have limited tracking capabilities while also being able to correctly shape and size their ads to fit the frame, something iFrames do not allow.

-- Article Continues Below --

AdOps Guide

-- Article Continues Below --

Drawbacks of SafeFrame

While SafeFrame seems like a great final solution to malvertising, it still has a number of drawbacks that leave you vulnerable to malicious attacks.

The most stark drawbacks are:

Browser vulnerabilities and cross-site scripting attacks

Browsers will often have vulnerabilities that allow attackers to escape the SafeFrame and inject malicious JavaScript into your site. This is accomplished through cross-site scripting attacks that allow attacks to work around the same-origin policy. 

These vulnerabilities can lie unpatched for extended periods of time, and even when browsers update and patch issues, users don’t always update their browsers. Once vulnerabilities get patched, it is only a matter of time before bad actors find another hole to go through.

Inability to protect mobile redirects

Mobile browsers may lack the features required for SafeFrames work, or have other security vulnerabilities that make it easier to bypass SafeFrames.

Does not report viewability metrics

SafeFrame does not directly report viewability metrics, the API only allows for access to information the advertiser can use to determine whether or not the SafeFrame container is "in view."

Protecting Your Site

SafeFrame is an effective security measure, but should only be considered as a necessary baseline security. Sophisticated and determined attackers know their way around these kinds of free, DIY solutions, and need to be dealt with more advanced solutions.

Partnering with an ad security group is the best way to fight back against malicious advertisers. But even the largest security companies rely on tactics like blocklisting and verification that bad actors can easily circumvent.

At cleanAD, our unique script behaviorally blocks bad ads at run time, meaning you remain protected from any and all harmful JavaScript bad actors may be trying to inject into your site.

If you are experiencing ad attacks, and are watching your site metrics and ad revenue plummet, you can sign up for a free 14-day cleanAD trial here.

New call-to-action

Topics:MalvertisingMalvertising 101Malvertising Solutions

Our blog

Where businesses come to learn more about protecting the points of digital engagement with their customers, audiences and users.

Subscribe to Updates