DoubleClick Advertising network XSS vulnerability
Just a quick alert about an email from Google warning of vulnerabilities in some DoubleClick publishers. This has been sent to all website owners who use DoubleClick in any form.
However this will ONLY affect website owners who use DoubleClick as a stand alone service to display adverts. It does not affect website owners who use Google AdSense to display adverts and have enabled the additional options to also use DoubleClick as a method of advertising in the allowed advertisers section of your Google AdSense settings page. 
The email reads:
| Dear Customer,
We’ve identified certain vendor files that may contain XSS vulnerabilities which could pose a security risk. Please check if you are hosting these files and remove them with the help of your webmaster. These are the currently identified third-party vendor files: 1. adform/IFrameManager.html 2. admotion/afa-iframe.htm 3. bonzai/bonzaiBuster.html 4. exponential/buster.html 5. eyeblaster/addineyeV2.html 6. eyewonder/interim.html 7. flashtalking/ftlocal.html 8. ipinyou/py_buster.html 9. jivox/jivoxibuster.html 10. mediaplex/mojofb_v9.html 11. mixpo/framebust.html 12. predicta/predicta_bf.html 13. rockabox/rockabox_buster.html 14. liquidus/iframeX.htm 15. controbox/iframebuster.html 16. spongecell/spongecell-spongecellbuster.html 17. unicast/unicastIFD.html 18. adrime/adrime_burst.2.0.0.htm 19. revjet/revjet_buster.html 20. kpsule/iframebuster.html We have disabled these vendors where possible for all DoubleClick for Publishers and DoubleClick Ad Exchange customers. However, any of the mentioned files hosted on your site may still pose a risk and should be taken down. We will notify you as we learn more. For more information please refer to this Help Center article. Regards, The DoubleClick for Publishers and DoubleClick Ad Exchange Teams |
Please can someone explain what this really means, and what I can do to stay safe.
nothing really that you can do as a website visitor. XSS vulnerabilities can be used to distribute malware or divert you to phishing sites etc. As far as I can determine in this case, the exploits might be able to display incorrect information/ images /links etc or wrong adverts that might lead to malicious sites when clicked on
https://en.wikipedia.org/wiki/Cross-site_scripting
https://www.acunetix.com/websitesecurity/cross-site-scripting/
I think what they are saying is, IF you are the owner/manager/webmaster of a website that uses Double Click for Publishers to serve ads on your website, AND you have installed a third-party app/plug-in to enable DFP, you should ensure that the vendor you used is none of the ones listed. You can probably tell by looking over the files in your website directory. If you find a match for any of the files listed, you should find a different way of showing your ads, as these “vendor files” have been identified as having a vulnerability that can pose a risk to your site or your site’s visitors.
I know I’ve said pretty much the same thing as the original email, but perhaps my wording helps explain it. (If I’m even right). If I’m wrong, someone should respond with a better explanation.
Can we confirm if they really posses xss vulnerability? These files seems to be on every ad that runs through ad-platforms
The majority of ads everywhere are served via Google AdSense network not directly via the DoubleClick network. Google sanitizes the links to prevent XSS.
As far as I can see from the update that Google have made on their post https://support.google.com/dfp_premium/answer/7622991 the primary risk was on “expandable” ads. That is those ads on some big sites where you either click or roll over an ad to get a larger version or video ad playing.
You might still see some of these type of adverts served via Google AdSense but they have been sanitized by Google to prevent risk.
A bit more details explaining it http://www.securityweek.com/google-warns-doubleclick-customers-xss-flaws in a slightly easier to understand way than the Google post
How can I remove these files from my blog? I cannot find this files in my blog template code. Can someone provide any video link?
If they are not there, then you don’t need to remove them
Why do you think that they are on your blog. Are you signed up to DoubleClick as a publisher? or do you use Google AdSense via a typical blog plugin?
I have applied for the upgrade to non-hosted Adsense and they send me the above mail. What to do now, to get Adsense approval right now? Please in from me. Now I’m unable to anything because I’m very poor in English.
I have removed all urls in google search console. is the problems solved? Please inform. I’m waiting for your kind information. Sorry for disturbing again.
Google search console has nothing to do with this.
You don’t have any adsense adverts on your blogger blog, so this is not affecting you
But I want Adsense. Can I get upgrade hosted to non-hosted with this issue? Or what to do to get Adsense?
https://support.google.com/blogger/answer/1269077?hl=en