Ads that expand on a web page to show a larger banner or video containers can be abused as entry points for other hacks, according to new research published this week by Randy Westergren, a Delaware-based security researcher.
The researcher says he identified several vulnerabilities in iframe busters --the name given to files that websites host on their server to support "expanded ads."
The researcher says he identified XSS vulnerabilities in most of the iframe buster scripts that, until recently, Google has been providing for download as part of a multi-vendor iFrame Buster kit, offered through the DoubleClick AdExchange documentation site.
Westergren detailed four examples on his blog, showing how an attacker could run malicious code on any site that uses iframe busters from ad networks like Adform, Eyeblaster (Add in Eye), Adtech, and Jivox.
The researcher says he notified Google of the issues with the iframe buster scripts part of the company's iFrame Buster kit, and Google engineers removed those scripts within two weeks, back in January this year.
In the meantime, Google has stopped offering the kit for download altogether, but some of these iframe buster scripts are still vulnerable if downloaded from other sources.
Users who want to remain safe are advised to use an ad blocker, as most ad blockers will block intrusive ads that roll out and cover a large area of the page.
These are 2018's biggest hacks, leaks, and data breaches