DoubleClick Advertising Network XSS Vulnerability
Just a quick alert about an email from Google warning of vulnerabilities in some DoubleClick publishers. This has been sent to all website owners who use DoubleClick in any form.
However this will ONLY affect website owners who use DoubleClick as a stand alone service to display adverts. It does not affect website owners who use Google AdSense to display adverts and have enabled the additional options to also use DoubleClick as a method of advertising in the allowed advertisers section of your Google AdSense settings page.
The email reads:
Dear Customer,
We’ve identified certain vendor files that may contain XSS vulnerabilities which could pose a security risk. Please check if you are hosting these files and remove them with the help of your webmaster. These are the currently identified third-party vendor files:
1. adform/IFrameManager.html
2. admotion/afa-iframe.htm
3. bonzai/bonzaiBuster.html
4. exponential/buster.html
5. eyeblaster/addineyeV2.html
6. eyewonder/interim.html
7. flashtalking/ftlocal.html
8. ipinyou/py_buster.html
9. jivox/jivoxibuster.html
10. mediaplex/mojofb_v9.html
11. mixpo/framebust.html
12. predicta/predicta_bf.html
13. rockabox/rockabox_buster.html
14. liquidus/iframeX.htm
15. controbox/iframebuster.html
16. spongecell/spongecell-spongecellbuster.html
17. unicast/unicastIFD.html
18. adrime/adrime_burst.2.0.0.htm
19. revjet/revjet_buster.html
20. kpsule/iframebuster.html
We have disabled these vendors where possible for all DoubleClick for Publishers and DoubleClick Ad Exchange customers. However, any of the mentioned files hosted on your site may still pose a risk and should be taken down. We will notify you as we learn more.
For more information please refer to this Help Center article.
Regards,
The DoubleClick for Publishers and DoubleClick Ad Exchange Teams