Adobe Analytics

I-5 · 9/21/22

Does Adobe have any plug-ins on Launch (either a user added extension or behind the scenes Adobe) that monitors all the JS running on Launch and flags any malicious JS and checks the validity of the source?

My Customer is currently responding to a potential security risk on GTM where hackers can inject malicious code onto the site to skim credit card information from users. They allow credit card payments on their website using a 3rd party payment processor. They are urgently assessing that their website does not store any CC info and that GTM could not have any access to CC info. While the current published risk is for GTM, they will have to assess Launch and what type of security is in place. They currently collect data with GTM and Adobe Data Collection (A.K.A. Launch)

Ask: Does Adobe have any plug-ins on Launch (either a user added extension or behind the scenes Adobe) that monitors all the JS running on Launch and flags any malicious JS and checks the validity of the source?

yuhuisg · 9/24/22

To answer your question directly: no, there is no such extension in the catalogue.

View solution in original post

Jennifer_Dungan · 9/21/22

From the sounds of it.. people gained access to GTM and used it to add code to the site... any tag manager, ad server, etc could be used in such a way.... basically any code that is designed to add code to your site could be a threat.

There is no real checks that you can run from the tag manager itself to detect threats... besides, if a hacker gained access to the tag manager account, they could just disable anything that you put in place.....

The best defense is to try and make sure your tag managers have publish access limited to only a few accounts, and to make sure those accounts remain secure... running regular security and vulnerability tests on your site is also important. There are many tools and vendors out there that provide comprehensive testing.

While I don't believe GA has an equivalent to this... Adobe does still have the "self-hosted" AppMeasurement.js files... you could in theory only allow self-hosted trackers like that on the payment pages to prevent someone from creating code to grab the payment info from sensitive pages.. thereby preventing anyone from injecting code there... then use the tag manager everywhere else... this would mean that changes would need to be manually deployed to payment pages, but would reduce the risk.