http://pagead2.googlesyndication.com/pagead/show_ads.js
Nearly every site on the internet is running this javascript. This is bad. Very bad.
If anyone wanted to XSS pretty much the entire internet,
that’s the file he’d have to replace.
I really hope that nobody at Google has a change of morals.
Not to mention google-analytics etc. put even more situations like this out there.
It’d be the biggest XSS in history, nearly every single Myspace and Youtube,
and pretty much every other user on the planet attacked.
You could launch the world’s biggest ddos using Javascript.
I would hope that google never gets hacked this way.
For now, I’m using noscript to block
googlesyndication and google-analytics, etc.,
and I’d recommend the same or similar to anyone else.
* The site could be temporarily unavailable or too busy. Try again in a few
moments.
* If you are unable to load any pages, check your computer's network
connection.
* If your computer or network is protected by a firewall or proxy, make sure
that Firefox is permitted to access the Web.
Because it is a javascript page, which isn’t for display but for action, download it and check the contents in notepad or other text editor.
Firefox 3.0.1 displays it, see image for a small extract of it, I had no error message.
@ polonus
How are you using NoScript to block these two locations ?
I previously used adblock plus to block google-analytics and googlesyndication components, but I see no way to do this in NoScript unless the page you are visiting has google-analytics (most), in which case you can place it as Untrusted. So must we wait for googlesyndication to appear as one of the script sources so we can set that to untrusted also.
(function(){
var f=document,j=navigator,m=window;function aa(){var a=f.cookie,c=Math.round((new Date).getTime()/1000),b=m.google_analytics_domain_name,d=typeof b=="undefined"?s("auto"):s(b),e=a.indexOf("__utma="+d+".")>-1,g=a.indexOf("__utmb="+d)>-1,i=a.indexOf("__utmc="+d)>-1,k,n={};if(e){k=a.split("__utma="+d+".")[1].split(";")[0].split(".");n.sid=g&&i?k[3]+"":(m&&m.gaGlobal&&m.gaGlobal.sid?m.gaGlobal.sid:c+"");n.vid=k[0]+"."+k[1];n.from_cookie=true;n.dh=d}else{n.sid=m&&m.gaGlobal&&m.gaGlobal.sid?m.gaGlobal.sid: etc. etc.
That is right, because that is what it is - Javascript code, that is running for Google all over the Internet. There is a bug in the code in show_ads.js in Firefox browsers:
if (m.screen)
e+=m.screen.width+"x"+m.screen.height+m.screen.colorDepth;
'
That is why it is not seen in IE, it should run inside another Iframe actually. Just from this you can see that what I told in the posting above is not that far fetched from reality, even as the code is not rendered the same in all type of browsers, Firefox 2 even had worse rendering, there are risks of abusing. Consider also that Firefox is Google driven/promoted browser of choice, and even with this adsense code we find that browsers were not developed with security in mind. That came in much, much later,
polonus
P.S. Just have NoScript and block google-analytics.com, normally with NoScript on all JS is blocked to run, only when you have it generally allowed, like Allow google.com, you can also use ABP to block these instances - Open blockable items and block…