Google Ads says my site is affected by an unsafe domain

[AmyF]

I'm working with a client's marketing team who just got this message from Google: The most recent system scan detected that this advertiser's primary declared landing page is affected by an unsafe domain and the bad link is 'googie-anaiytics[.]com'

Note the lowercase i in place of the two lowercase Ls in the link.

We've looked in the source code, Google Search Console, Ahrefs, Google Analytics, and Screaming Frog and we don't see any reference to or from that spammy domain to the client's Home page. I've found the same question posted in other forums, but no answers.

Has anyone solved an issue like this?

[HoangExprto]

Hello there, we encountered the same problem. It is caused by a compromised library, polyfill. You will need to remove all instances of polyfill in your website for it to work normally.

[AmyF]

Thank you @HoangExprto. I'm not sure what a polyfill is or where to find it. Would it be in a code injection? Custom CSS?

[WebQure]

Dear Amy,

I am a website malware security professional. Could you share link to your website for me to have a look?

[AmyF]

Thank you @WebQure. It's https://www.blacksford.com/

[HoangExprto]

It is a javascript file. I am not sure if you have removed anything after the warning, but the only file I see related to polyfill left in your site is //assets.squarespace.com/@sqs/polyfiller/1.6/modern.js . You can remove this file and submit again to see if it is the issue.

[AmyF]

@HoangExprto thank you. I don't believe I can remove that from a Squarespace site, but I'll check with my developer to see if they can. I appreciate your help.

[creedon]

Quote

I don't believe I can remove that from a Squarespace site

You can't. If you didn't install it, you can't remove it. Squarespace does not allow access to their backend.

[Manny24]

@creedon how do you remove it then?

[WebQure]

On 6/21/2024 at 8:13 PM, AmyF said:

Thank you @WebQure. It's https://www.blacksford.com/

Thanks. Squarespace doesn't allow access to their source code so you can't remove or delete any such code from the website. Could you share site access with me for a detailed in-depth review of  this website? I think I can resolve his issue.

Edited June 24 by WebQure

[paul2009]

On 6/21/2024 at 1:16 AM, AmyF said:

just got this message from Google: The most recent system scan detected that this advertiser's primary declared landing page is affected by an unsafe domain and the bad link is 'googie-anaiytics[.]com'...we don't see any reference to or from that spammy domain to the client's Home page

I didn't see the unsafe domain referenced in the site code either.

Edited June 25 by paul2009

[HoangExprto]

Hi, it is me again.

After some digging, I finally found a page that is using polyfill: url https://www.blacksford.com/yellowstone-rv-rentals containing polyfill library https://cdn.polyfill.io/v3/polyfill.min.js?features=URL,Promise,Symbol,Symbol.iterator,Object.assign,Object.values,Object.entries,String.prototype.startsWith,String.prototype.endsWith,Intl,Intl.~locale.en-US,Intl.~locale.en-CA,Intl.~locale.fr-CA,Intl.~locale.en-AU,Intl.~locale.en-NZ&flags=gated . Please remove this.

Do note that this might not be the only page containing polyfill library, you will need to scan ALL of your pages.

[Konsecurity]

@HoangExprto Thank you !
Can you help me to know how did you found the root cause - polyfill library.

Do you have any scanner to check your site ?

Did google responded you back with the infected library in polyfill that contains googie anaiytics or else do you observe any redirection to suspicious domain with polyfill?

Thank you for your help !

 

[AmyF]

@HoangExprto Thanks for taking a look. I see polyfills referenced on every page of the site in these lines of code:

<script type="text/javascript" crossorigin="anonymous" defer="defer" nomodule="nomodule" src="//assets.squarespace.com/@sqs/polyfiller/1.6/legacy.js"></script>
<script type="text/javascript" crossorigin="anonymous" defer="defer" src="//assets.squarespace.com/@sqs/polyfiller/1.6/modern.js"></script>

Is that different than what you found on the page you referenced (https://www.blacksford.com/yellowstone-rv-rentals)? I see this code on the 50+ Squarespace sites I'm on.

Because the source is from Squarespace itself—src=//assets.squarespace.com—I'm assuming it's from Squarespace's server code. And (for good reason) it's not accessible, deletable or editable by customers.

For other Squarespace customers having this issue, read below to see what Squarespace support said:
 

Quote

I understand Google Ads is stating that their domain is being affected by an unsafe domain: googie-anaiytics.com. I'm sorry to hear of the trouble.
 
In regards to the solution provided by the forum user of removing the polyfill library from the platform's code, I do want to clarify that it isn't possible to edit or modify the platform code. You may inject code into a Squarespace site, but it isn't possible to change the server code used for the Squarespace platform.
 
I understand this may not quite be the answer you were hoping to hear - we value transparency and your time, so we want to be as up front as possible with you on what can and cannot be done within our platform.
 
On this note, I've taken some time to review the site and haven't been able to locate any links or instances of code pointing to an unsafe domain: googie-anaiytics.com. 
 
I've done some research on this and it seems that malicious links can be hidden in plugin files. Typically, these are integrated via custom code.

That said, I've noticed that the site has Developer Mode enabled, as well. Using the Developer Platform provides you with full access to your template code and allows you to create a custom template from scratch using the Base template. 
 
After you enable developer mode, you have full access to the template code (CSS, JSON, and HTML). Can you confirm if you've been able to inspect your template code for the URL being reported as unsafe?

I'll look into the code added via Developer Mode, but most of it relates to CSS and styling, so I can't imagine that's the issue.

Edited June 24 by AmyF

[HoangExprto]

Just ignore //assets.squarespace.com/@sqs/polyfiller/1.6/legacy.js and //assets.squarespace.com/@sqs/polyfiller/1.6/modern.js. I initially thought that since it is the only polyfill thing in your website, it might be the cause. But since the customer support has confirmed that they are hosted locally, we can be somewhat confident in their safety.

In the URL https://www.blacksford.com/yellowstone-rv-rentals I found an url not hosted locally https://cdn.polyfill.io/ . This URL has been sold to a shady Chinese company https://github.com/formatjs/formatjs/issues/4363 , and Cloudflare has issued a warning https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-your-supply-chain-risk , though only now does the domain starts to spread malicious code. So you should consider removing it.

[AmyF]

Again, I appreciate your help here, @HoangExprto. You are correct and Google Ads finally explained as much in the message below.

Squarespace support told me their engineering team is working on a fix, though they have no timeframe for when the issue will be resolved.

The email from Google Ads:

Quote

Dear Advertiser, We've detected a security issue that may be affecting websites using specific third-party libraries (like polyfill.io, bootcss.com, and others). This issue can sometimes redirect visitors away from the intended website without the website owner's knowledge or permission. Because your Google Ads are linked to websites (e.g. blacksford.com) that might be using these libraries, we want to make you aware of the situation as it may result in Ad disapproval.

Why is this happening? The code causing these redirects seems to be coming from a few different third-party web resource providers including Polyfill.io, Bootcss.com, Bootcdn.net, or Staticfile.org. Similar reports can be found by searching for "polyfill.io" on Google (https://www.google.com/search?q=polyfill.io). What does this mean for your Google Ads? If we find these redirects during our regular checks of your ad destinations, we'll need to disapprove the related ads. This is due to our Compromised Sites Policy, which aims to protect users from websites with unauthorized code modifications.

What can you do? Investigate your landing pages: Check your website's code (or ask your website administrator) to see if you're using any compromised libraries. Remove or replace the code: If you find compromised libraries, consider: Hosting a clean, secure version of the code yourself Switching to an alternative library or provider Resubmit your ads: Once you've fixed the issue, resubmit any disapproved ads for review.

We understand this might be inconvenient, but our priority is to keep both advertisers and users safe. We appreciate your understanding and cooperation.

Squarespace support's response:

Quote

We’re currently investigating an issue with internal performance and census URLs flagged as malicious by Google Ads—thanks for reporting this to us. Our Engineering teams are prioritizing a fix for this as we speak.
 
There are many variables that we test against before we release a fix, so we can’t provide an exact timeframe for a resolution. We can’t always follow up personally when a fix is released due to the volume of reports we receive for this issue.
 
That said, these reports are crucial for us as we improve our platform. If you notice any other unusual behavior, please contact us again.

 

Edited June 25 by AmyF