Check and remove vendor files

We have identified certain vendor files that may contain XSS vulnerabilities which could pose a security risk. Please work with your webmaster to check if you host these files and remove them.

Often these files are hosted in the root domain. To check this location, type the full path of the vendor file into your browser and click Enter. For example: If you load the page and it’s blank, check the source of the page by right-clicking and selecting View Source to ensure the content is the vendor file.

The vendor files that we have currently identified are:

  • adform/IFrameManager.html
  • admotion/afa-iframe.htm
  • bonzai/bonzaiBuster.html
  • exponential/buster.html
  • eyeblaster/addineyeV2.html
  • eyewonder/interim.html
  • flashtalking/ftlocal.html
  • ipinyou/py_buster.html
  • jivox/jivoxibuster.html
  • mediaplex/mojofb_v9.html
  • mixpo/framebust.html
  • predicta/predicta_bf.html
  • rockabox/rockabox_buster.html
  • liquidus/iframeX.htm
  • controbox/iframebuster.html
  • spongecell/spongecell-spongecellbuster.html
  • unicast/unicastIFD.html
  • adrime/adrime_burst.2.0.0.htm
  • revjet/revjet_buster.html
  • kpsule/iframebuster.html
  • adtech/iframeproxy.html
  • flite/fif.html

We have disabled these vendors where possible for all Google Ad Manager and Ad Exchange customers. For Reservations, Deals, and Open Bidding, the vendor technology is not blocked. However, any of the mentioned files hosted on your site may still pose a risk and should be taken down. We will notify you as we learn more.

Because we are recommending that the files be removed until the vendors are able to correct the issue, we have opted-out these Ad Technologies from your Protections. This impacts serving of expandable ads via AdX, which utilize these vendor files.

  • Adform - Expandable
  • Admotion - Expandable
  • EyeWonder Expandable
  • Flashtalking Expandable
  • iPinyou - Expandable
  • Jivox - Expandable
  • Conversant (Mediaplex) Expandable
  • Mixpo - Expandable
  • Predicta - Expandable
  • Rockabox Media - Expandable
  • Contobox Expandable
  • Spongecell - Expandable
  • Unicast Expandable
  • Adrime Expandable
  • Kpsule - Expandable
  • Sizmek Expandable
  • Flite Expandable

However, should you want to continue working with these vendors independently to use expandables on your site, please reach out to the relevant third parties directly to get replacement files and then opt back into these Ad Technologies in Protections. Replacement vendor files will need to have a new name to be sure that they have been updated. Google will no longer be distributing these third-party vendor files.

The action we've taken is as a result of issues identified with the named files only, and does not imply the existence of any other vulnerabilities related to these vendors' technologies.