Internet Explorer flaw gives ad trackers a sneaky edge -- for now

The security company has found advertising analytics companies are using the flaw to measure ad views

Some advertising analytics companies are using a vulnerability in Microsoft's Internet Explorer browser for a questionable edge in figuring out if web users are actually seeing display advertisements buried within web pages.

The flaw, if fixed by Microsoft, could take away a metric called "viewability," which is helping companies decide where to spend their sought-after advertising budgets on display ads with only the most productive of publishers., a U.K.-based security company, published details of the vulnerability on Wednesday. But the flaw has been used for some time by at least two major advertising analytics companies in the course of business, said CEO Douglas de Jager.

Display advertising is hoped to be a rich source of revenue for publishers. But not many people actually click on display ads, which makes it harder to measure whether the ads are having an impact on customers. Display ads are usually sold for a fee per one thousand impressions, known as CPM.

Display ads may be shown further down a web page where a user never scrolls. The flaw in Internet Explorer allows advertising networks to serve ads rigged with special JavaScript code in order to figure out if an ad has actually been seen, which is much more useful information for advertisers.

Advertisers want to know if their ad has fallen within the "viewport," or the viewing area of a browser where a person sees content, which is smaller than the real size of a web page.

But advertisers don't know the position of their ad relative to the host web page. For security reasons, advertisements are prevented from running JavaScript code on the host web page that would send the coordinates for the ad.

Browsers such as Chrome and Safari are capable of delivering information on the position of an ad relative to the screen. With that information, advertisers could figure out if the ad is actually within the user's viewport. But that capability is turned off in those browsers for a variety of security-related reasons.

IE also does not reveal screen information. But IE's flaw reveals the position of the cursor relative to the advertisement and the position of the cursor relative to the screen. Whether the ad is visible in the viewport can be calculated by triangulating, according to a video from's de Jager said this "viewability" metric is being used by at least two major advertising analytics companies to blacklist publishers whose display ads are not seen.

"They use this viewability data for who is a good publisher and who is a bad publisher," said de Jager in a phone interview from London on Thursday. "This is being used by the savviest of the performance marketers in the display advertising world."

It means that those marketers could stand to make more money since they are delivering what would be considered higher quality ad inventory. said it notified Microsoft of the problem on Oct. 1, which acknowledged the issue but said it didn't have immediate plans to patch it. The problem affects all Microsoft browser versions going back to IE6.

Microsoft officials did not have an immediate comment on Thursday. discovered the problem within the course of its security work and then later found out it was actually being used in order to track advertisements, de Jager said.

He said he recently had a conversation with a major ad analytics company in New York that was aware of the flaw. The company, he said, chose not to use the problem for its ad tracking but was having to explain to clients why they were not using it to measure viewability.

"It is an industry in flux at the moment," de Jager said. "It's an IP [intellectual property] battle on who can deliver that new metric."

As long as users keep the exploitive display advertisement open, no matter if the browser is minimized, their mouse movements anywhere on a screen can be tracked.

It also has other risks: it could allow an attacker to collect information typed into a software or virtual keyboard, which are sometimes used to prevent people from typing on a real keyboard, avoiding malicious software that record keystrokes.

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags Spider.ioMicrosoftsecurityExploits / vulnerabilities

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts