How Javascript Security Threats Impact Affiliate Links

by Scott Jangro on 03 August 2006

I received this question in the mailbag.

What are the ramifications of the security threats mentioned in this article to JavaScript affiliate links?

News.com: JavaScript Opens Doors to Browser-based Attacks


First, what’s this about?

The news.com story describes a clever security exploit that takes advantage of the access that a user’s computer has to it’s local network by executing javascript.

JavaScript is code that is generally served by a webpage visited by a user and gets executed on their browser. The idea is, obvioiusly, to perform advanced functionality that cannot be done with plain HTML, stuff like the nice interface for Google maps and the Web 2.0 apps that are so hip these days (like the AJAX comment form on this blog.)

JavaScript is actually a pretty powerful programming language. In the case of this security issue, it scans the local network for other computers that have vulnerabilities (like an insecure web server) and can then execute commands to exploit them by executing commands. Not nice.

This exploit can run if a user’s browser simply has JavaScript enabled. If you only visit sites you trust, that’s not a problem. However, a site that is an unknown, or even a trustworthy site that has been hacked can serve up this dangerous JavaScript.

What Does this Have To Do With JavaScript Affiliate Links?

There’s really little impact directly to JavaScript affiliate links, unless, of course, you don’t trust Commission Junction or the other providers that use this type of link.

The indirect impact, however, is that as more of these sorts of security issues surface with JavaScript, it’ll become more common to disable it. That will have a very real impact on affiliate technology that relies on JavaScript. It simply won’t work.

Thanks for the question.

  • Scott
    The point that I was trying to make is that the amount of users out there that disable JS and so they do not see an AD, is not really such a big deal. There is plenty more people out there that will!


    Fair enough, Tony. I won't disagree with you on this. When I argue against something like a mandatory change to Javascript links, this issue is at the bottom of my list. When you're dealing with non-technical decision makers, this is an easy one to wave at them, which is why I think it comes up more than the real issues which are more difficult to present in an "elevator pitch".

    And in regards to the vulnerabilities, I also agree with you. And you can see in my post, that I don't feel that it has really any impact on affiliate marketing.

    As for the rest of the stuff, which is the real interesting discussion, we're having this discussion in the wrong blog entry, but that's ok.

    You say you wouldn’t want to rely on a third party to deliver content of your website. I assume you don’t trust the third party, which is fair enough, but affiliate marketing is also about trust.


    When I say that I don't want to rely on a third party to deliver content, it's not about trust so much as it is about performance and reliability. I do not distrust the intentions of any third party that I partner with. If I did, I would not be in that relationship.

    I may lack confidence in their knowledge and judgement, which is ok if they're not imposing it on me. I feel that I simply know some things better about my visitors, site optimization, and business than a third party can.

    The fact is that if I rely on a third party to serve the content that appears on my website, sometimes it will not appear quickly or at all. Unless there's a good reason to rely on that sort of delivery mechanism, like a contextual advertisement, I see no good reason to do that.

    Allowing a third party to fully control what I have on my website because they need to control what affiliates are doing is not a good enough reason. That trust you talk about is a two-way street. If I'm doing something that they want done differently, they can pick up the phone or IM me and I'll take care of it. If there are some affiliates out there that need to be "controlled", don't hurt my business because of it by forcing me to use technology that makes it impossible to do my job.

    Javascript-only is not balance and I'm glad to see that CJ seems to be backing off.
  • Tony
    I agree with you Scott that utilising Javascript would be less pratical especially for things such as controlling a simple text links. We all agree with that and with other difficulties that may arise in utilising JS vs plain and simple HTML.

    I am of the opinion however that when an affiliate utilises a an affiliate network, such as CJ's, the affiliate cannot expect to necessarely be in full control.

    To my opinion an affiliate network has as much right to control what goes around on its network and seen from their perspective might have the need to protect its content from being tampered with. It might also need to protect its advertisers from allowing affiliates to do whatever they want, which i think is totally justified. At the end of the day, there's got to be a balance.

    My inital post was not to discuss the practicalities of HTML vs Javascript from an affiliate's prospective, but was to highlight my opinion (althought you might consider it black and white) about how relevant is the "disabling of JS" subject, when put in a larger context, when looking at the overall affiliate marketing. The point that I was trying to make is that the amount of users out there that disable JS and so they do not see an AD, is not really such a big deal. There is plenty more people out there that will!

    You say you wouldn't want to rely on a third party to deliver content of your website. I assume you don't trust the third party, which is fair enough, but affiliate marketing is also about trust.

    As with regards to vulnerabilities that might be exploited and would allow malicious JS code to be executed, I am convinced the solution doesn't lie in disabling JS, but in actually fixing those issue and vulnerabilities.
  • Scott
    What a black and white way to look at it, Tony. And to talk about not looking at the big picture.

    Sure, Javasript is great. I use it in the AJAX in this comment form and to serve the Adsense ads at the top of the page.

    I choose to use Javascript because, like you say, it adds great functionality to a website.

    However, there are many downsides. I wouldn't serve any of the main content of my site thru Javascript, especially in the control of a third party. Put several bits of JS on a page and it causes performance issues. And the fact of the matter is that some significant percentages of users don't allow Javascript to run, including search engine spiders who come by to grab my content for their indices. Why would I do something as simple as serve the main content of my site through that?

    I'm focusing on the content of my site because to me, that's what affiliate marketing is. It's not a banner or contextual ad that a website can do without. It's tightly integrated into the very content of a page.

    And beyond technology, it's a simple matter of practicality. Integrating Javascript into something like a simple text link when I can use just that, a text link, is simply absurd.

    Please read this: A Practical Look at LMI.

    Frankly, Tony, your reply indicates that you don't really understand affiliate marketing. That sort of mindset sounds all to familar recently. It's what that allowed Valeclick & Commission Junction's Link Management Initiative to gain so much momentum before driving into a wall.

    Thanks for the comment. I hope to hear more.
  • Tony
    Javascript is an essential scripting language that many professional sites nowadays utilise. It adds great functionality to a website that simply wouldn't be possible to achieve with standard HTML.

    Let's be honest guys, how many people out there actually care about stripping out JS code using these plug-ins/software? Is a bit like navigating the web and disabling cookies! Many websites out there simply won't work with cookies disabled. And how many users did in the past disable images from being displayed to save up on bandwith and load a web page faster? Maybe they did, for a short while, until they got totally bored just looking at text and turn them on again, to view the web page as it was originally intended..

    Now, my opinion is that at the end of the day we all want to see the new fancy features and utilise the new cool technologies. This is just what scripting languages can bring us, they make our website and online businesses work more efficiently, it's called progress!

    Or shall we just disable everything and go back to the stone age?

    The disabling of JS execution via software or plug-in, which would prevent an affiliate banner from being displayed on a browser, has extremely low impact on affiliate marketing.

    Let's take a look at the big picture...really.

    Tony
  • jimbot
    I love the no script plug-in. Great for visiting sites I have'nt been to before. Like when using 'stumble-upon'.
  • Firefox has a new add on called No Script. This program gives users a site by site ability to turn Javascript off. This program successfully strips all JS advertisements from web pages (unless approved). Firefox lists this as their second most downloaded add on.

    It is much more convenient than globally turning off JS. Browsing with JS turned off is a great pain. The add on makes it easy to turn JS back on the rare cases the JS really is important for a page.

    The market is developing programs to strip JS ads. It is a bad time for a company to be moving in the JS direction. I would not be surprised if 20% of the Firefox market ended up installing this add on.
blog comments powered by Disqus