This is Muhammad Asfar. My question is about google ads malware detection in scripttag file.
I have developed an app and app functionality working on the store by app scripttag.
Now I am facing issues due to scripttag file. Google has detected malware in the JS/jQuery scripttag code and ads disapproved due to it and I have checked my app scripttag file did not find anything to resolve this issue,
My question is
Is there any guide to write scripttag file to encounter this issue?
Please share your views if you are facing this issue or resolved it.
Thanks in advance
There is nothing special about Shopify scripttags and there are no guidelines on them. Most probably it loads some suspicious (to Google) libraries or doing some manipulation that Google considers "harmful". Do you get any details from Google on what specifically is being detected as harmful?
@Visely-Team thanks for replying on this thread.
On button click app is checking out product quantity conditions and if conditions fail then the app will show message modal.
Below is a detail that one app client get from google.
Why are your Ads disapproved?
Our latest scan from your site - came back, and still detects Malware/links that are potentially harmful to you and to the site visitors. It seems that your site (landing page) redirects users to malicious links OR triggered when clicked. Below are the links that we’ve detected:
The bad news is that this seems to be a recent problem affecting multiple apps. See this thread on google ads support.
As outlined in the linked thread we did as many malware scans, security audits, and devtool scans as we could and everything turns up just fine.
Our process is as follows
- we add some code to the theme that loads our script
- From within our script we check the version of jQuery and load it conditionally as per Shopify’s instructions.
- Due to some cross-origin issues we host jQuery on a proxy route so the domain where jquery is located will match the store’s url. We had cross-origin issues loading scripts from within our script and this solved it.
- This worked great for 2 years on 1000s of stores until a few days ago.
Based on the linked thread this seems to be happening with script tags, cross-origin, and same-origin scripts.
@Shopify can you provide some guidance or insight into this??
@SealSubs- We didn't change the domain serving script tags, the only thing we tried was doing an audit of our headers to make sure we were sending everything we needed to make google comfortable. It was a while ago, but we added a proper CSP, made sure our 3rd party scripts were up to date, and made sure other security headers were looking good.
One thing to note is that this seems to have started a week or two after we added an additional domain to serve our scripts. Perhaps google thought this was suspicious? Honestly it just sort of fixed itself after a few days.
I did hear back directly from someone at Shopify about this who said (jquery was one of the scripts triggering the warning):
Weird, both of those files look fine. Sometimes we see jQuery files hijacked, but in this case it's identical with v3.4.1 from jQuery's CDN. I'm not sure there's much we can do from this end.
Some thing you might like to try:
- Add integrity and crossorigin attributes to the script tags.
- Keep in mind most themes have jQuery loaded (including carolina-lifestyle). You might be able to avoid the additional request by wrapping it in a jQuery check.
@Matt_Goodwin I think that this additional domain was the cause of the issue. It seems that Google gets very suspicious when a new script from a new domain appears on too many websites too fast, as mentioned here. I am glad that the issue got resolved in a few days, because from our experience, this can take weeks to resolve with Google.