Conversation
WalkthroughThe pull request adds three footer scripts to Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
github-project-automation
bot
moved this from Triage
to Complete
in OpenFront Release Management
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@index.html`:
- Around line 426-427: The dialog string "Pleae enable ads" in the Admiral
script block contains a typo and is not localized; correct the spelling to
"Please enable ads" and replace the hard-coded UI string with a call to
translateText() that reads the corresponding key from en.json (add a new key
like "ad_dialog_enable_ads" to en.json); update the dialog construction in the
script (the inline string in the <script> block that creates the dialog) to use
translateText("ad_dialog_enable_ads") so the text is localized and the typo is
fixed.
- Around line 446-485: The embedded, obfuscated script (function s and its
invocation) reads localStorage via a decoded key, extracts lgk entries and
forwards them to googletag.pubads().setTargeting while swallowing all errors;
replace this with a clear, auditable implementation: decode or remove the
obfuscation so the code in function s (and its registration into googletag.cmd)
is human-readable, validate and whitelist allowed targeting keys/values from
localStorage before calling googletag.pubads().setTargeting, and replace silent
catch(N){} blocks with explicit error handling/logging; if this code is
third-party (Admiral) require an unobfuscated vendor-signed snippet or official
documentation before merging.
- Around line 426-486: This change injects an obfuscated, unverified third-party
script (A.src "https://introjava.com/assets/js/gfjjtpm64er_5.v1.js") that reads
from localStorage (the s[...] JSON parse and usage of D.pubads()) and lacks SRI;
remove or disable this script until you obtain explicit vendor confirmation from
Admiral and a vetted URL. Replace the introjava.com script load with Admiral's
official script (hosted under getadmiral.com) or a signed, non-obfuscated
bundle, add Subresource Integrity and an allowlist check for the exact vendor
domain, and ensure the logic around the localStorage read (function s / s[...]
usage) is only executed by verified code. Verify with Admiral that the provided
file and any obfuscation are legitimate before reintroducing; if they confirm,
update A.src to the approved host and include an integrity attribute and
documented approval note.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
| <!-- Admiral Script--> | ||
| <script type="text/javascript"> |
There was a problem hiding this comment.
Typo in UI text and missing i18n per PR checklist.
Per the PR description screenshot, the dialog shows "Pleae enable ads" (missing "s" in "Please"). Additionally, the PR checklist item "Process displayed text through translateText() and add to en.json" is unchecked, indicating user-facing strings are not localized.
If this code proceeds after security verification, ensure:
- Fix the typo: "Pleae" → "Please"
- Add strings to
en.jsonand usetranslateText()
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@index.html` around lines 426 - 427, The dialog string "Pleae enable ads" in
the Admiral script block contains a typo and is not localized; correct the
spelling to "Please enable ads" and replace the hard-coded UI string with a call
to translateText() that reads the corresponding key from en.json (add a new key
like "ad_dialog_enable_ads" to en.json); update the dialog construction in the
script (the inline string in the <script> block that creates the dialog) to use
translateText("ad_dialog_enable_ads") so the text is localized and the typo is
fixed.
| <!-- Admiral Script--> | ||
| <script type="text/javascript"> | ||
| !(function (Y, _name) { | ||
| (Y[_name] = | ||
| Y[_name] || | ||
| function D() { | ||
| (D.q = D.q || []).push(arguments); | ||
| }), | ||
| (Y[_name].v = Y[_name].v || 2), | ||
| (Y[_name].s = "1"); | ||
| })(window, decodeURI(decodeURI("%2561%25%36%34mir%61%25%36c"))); | ||
| !(function (Y, D, A, U) { | ||
| (A = Y.createElement(D)), | ||
| (Y = Y.getElementsByTagName(D)[0]), | ||
| (A.async = 1), | ||
| (A.src = "https://introjava.com/assets/js/gfjjtpm64er_5.v1.js"), | ||
| (U = 0) && U(A), | ||
| Y.parentNode.insertBefore(A, Y); | ||
| })(document, "script"); | ||
| </script> | ||
| <script type="text/javascript"> | ||
| !(function (Y, D, A, U, M) { | ||
| function s(U, M) { | ||
| try { | ||
| (s = Y.localStorage), | ||
| (U = | ||
| JSON.parse( | ||
| s[ | ||
| decodeURI( | ||
| decodeURI("%25%367%256%35%25%37%34I%74%256%35m"), | ||
| ) | ||
| ](A), | ||
| ).lgk || []) && | ||
| (M = Y[D].pubads()) && | ||
| U.forEach(function (Y) { | ||
| Y && Y[0] && M.setTargeting(Y[0], Y[1] || ""); | ||
| }); | ||
| } catch (N) {} | ||
| var s; | ||
| } | ||
| try { | ||
| ((M = Y[D] = Y[D] || {}).cmd = M.cmd || []), | ||
| typeof M.pubads === U | ||
| ? s() | ||
| : typeof M.cmd.unshift === U | ||
| ? M.cmd.unshift(s) | ||
| : M.cmd.push(s); | ||
| } catch (N) {} | ||
| })( | ||
| window, | ||
| decodeURI(decodeURI("%25%36%37%6f%6f%25%36%37%6ce%2574%25%361%67")), | ||
| "_a" + | ||
| decodeURI( | ||
| decodeURI( | ||
| "%51S%30%32%25%34d%25%37%61g%25%33%33%52%2544%25%345wMj%255%35%253%35%25%34e%25%36a%25%34%32%254%37%25%34%66%25%35%35%255%31%30%2552EY5%255%310%2559%77%25%34fT%2545%257%34%4e%256%61%2563%2530", | ||
| ), | ||
| ), | ||
| "function", | ||
| ); | ||
| </script> | ||
| <script type="text/javascript"></script> |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify the external domain and check if it's associated with Admiral
echo "=== Checking domain registration info ==="
# Check if introjava.com has any relation to Admiral/getadmiral.com
curl -s "https://dns.google/resolve?name=introjava.com&type=A" | jq .
echo ""
echo "=== Checking official Admiral domains ==="
curl -s "https://dns.google/resolve?name=getadmiral.com&type=A" | jq .
echo ""
echo "=== Attempting to fetch the external script to inspect contents ==="
curl -sI "https://introjava.com/assets/js/gfjjtpm64er_5.v1.js" | head -20Repository: openfrontio/OpenFrontIO
Length of output: 1412
🌐 Web query:
Is introjava.com an official domain used by Admiral (getadmiral.com) for their ad-block detection SDK? What domains does Admiral officially use for their JavaScript SDK?
💡 Result:
introjava.com: I can’t find any Admiral-controlled documentation (getadmiral.com / learn.getadmiral.com) that identifies introjava.com as an official Admiral SDK domain, and it’s not under the getadmiral.com domain family. Public WHOIS/hosting summaries also don’t tie it to Admiral branding (it shows separate registration/hosting details). [1]
Domains Admiral officially uses (branded/first‑party): Admiral’s own materials reference these getadmiral.com domains for their platform and access points:
- app.getadmiral.com (Admiral app/dashboard where you obtain the install tag) [2]
- learn.getadmiral.com (official knowledge base) [3]
- my.getadmiral.com (subscriber/visitor login) [4]
- web.getadmiral.com (demo/pricing flows linked from the main site) [5]
- blog.getadmiral.com (official blog, linked throughout getadmiral.com content) [2]
- m.getadmiral.com (used for transactional email sending, e.g.,
no-reply@m.getadmiral.com) [4]
JavaScript SDK delivery domains: Admiral’s public docs/pages I located do not publish a complete, authoritative allowlist of every hostname their JavaScript may load from (many adblock-recovery vendors also use rotating/unbranded domains operationally). So, from official sources, the only domains you can safely treat as “official Admiral domains” are the getadmiral.com properties above. [2][4][5]
If you share the exact <script src=...> URL you’re seeing (or a HAR capture), I can verify whether that host is referenced by Admiral’s own tag flow and whether it resolves/behaves like an Admiral-controlled endpoint.
Sources: [1]–[5]
CRITICAL: This code loads an unverified external script that is not from an official Admiral domain.
The verification shows that introjava.com is not an official Admiral domain. Admiral's official domains are all under the getadmiral.com family (app.getadmiral.com, learn.getadmiral.com, etc.), and Admiral does not publish a list of other approved script-loading domains.
Key concerns:
-
Wrong domain: The script loads from
introjava.com(IP 34.8.48.135), not fromgetadmiral.com(IP 35.190.71.217). These are separate infrastructures. Admiral's public documentation only confirms thegetadmiral.comfamily as official. -
Unverified legitimacy: While the script does return HTTP 200 from Google Cloud infrastructure, serving a file successfully does not prove it is a legitimate Admiral SDK.
-
Heavy obfuscation hides the true behavior: Legitimate SDKs do not hide their own API calls. The code obscures references to
admiral,googletag, andlocalStorage.getItem(). -
Data access pattern: The script reads from browser storage (which contains user identifiers and settings per your codebase) and passes the data to ad targeting functions.
-
No Subresource Integrity (SRI): No integrity hash protects against server-side content changes.
Do not merge this PR. Verify with Admiral:
- Did Admiral provide this code directly?
- Is
introjava.coman official Admiral integration point? - Why is the code obfuscated if it comes from a trusted source?
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@index.html` around lines 426 - 486, This change injects an obfuscated,
unverified third-party script (A.src
"https://introjava.com/assets/js/gfjjtpm64er_5.v1.js") that reads from
localStorage (the s[...] JSON parse and usage of D.pubads()) and lacks SRI;
remove or disable this script until you obtain explicit vendor confirmation from
Admiral and a vetted URL. Replace the introjava.com script load with Admiral's
official script (hosted under getadmiral.com) or a signed, non-obfuscated
bundle, add Subresource Integrity and an allowlist check for the exact vendor
domain, and ensure the logic around the localStorage read (function s / s[...]
usage) is only executed by verified code. Verify with Admiral that the provided
file and any obfuscation are legitimate before reintroducing; if they confirm,
update A.src to the approved host and include an integrity attribute and
documented approval note.
| <script type="text/javascript"> | ||
| !(function (Y, D, A, U, M) { | ||
| function s(U, M) { | ||
| try { | ||
| (s = Y.localStorage), | ||
| (U = | ||
| JSON.parse( | ||
| s[ | ||
| decodeURI( | ||
| decodeURI("%25%367%256%35%25%37%34I%74%256%35m"), | ||
| ) | ||
| ](A), | ||
| ).lgk || []) && | ||
| (M = Y[D].pubads()) && | ||
| U.forEach(function (Y) { | ||
| Y && Y[0] && M.setTargeting(Y[0], Y[1] || ""); | ||
| }); | ||
| } catch (N) {} | ||
| var s; | ||
| } | ||
| try { | ||
| ((M = Y[D] = Y[D] || {}).cmd = M.cmd || []), | ||
| typeof M.pubads === U | ||
| ? s() | ||
| : typeof M.cmd.unshift === U | ||
| ? M.cmd.unshift(s) | ||
| : M.cmd.push(s); | ||
| } catch (N) {} | ||
| })( | ||
| window, | ||
| decodeURI(decodeURI("%25%36%37%6f%6f%25%36%37%6ce%2574%25%361%67")), | ||
| "_a" + | ||
| decodeURI( | ||
| decodeURI( | ||
| "%51S%30%32%25%34d%25%37%61g%25%33%33%52%2544%25%345wMj%255%35%253%35%25%34e%25%36a%25%34%32%254%37%25%34%66%25%35%35%255%31%30%2552EY5%255%310%2559%77%25%34fT%2545%257%34%4e%256%61%2563%2530", | ||
| ), | ||
| ), | ||
| "function", | ||
| ); | ||
| </script> |
There was a problem hiding this comment.
The localStorage data extraction logic is designed to evade code review.
Breaking down the obfuscated code:
// Decoded: window["googletag"]
Y[D] where D = decodeURI(decodeURI("%25%36%37%6f%6f%25%36%37%6ce%2574%25%361%67")) // = "googletag"
// Decoded: localStorage.getItem(key)
s[decodeURI(decodeURI("%25%367%256%35%25%37%34I%74%256%35m"))](A) // = getItem(A)
// The key "A" is: "_a" + long obfuscated stringThe script:
- Reads a JSON value from localStorage with an obfuscated key
- Extracts an
lgkarray from the parsed JSON - Iterates through pairs and calls
googletag.pubads().setTargeting(key, value)for each
This injects arbitrary key-value data into Google's ad targeting system. The silent catch(N){} blocks ensure failures are hidden.
If this is legitimate Admiral code, request an un-obfuscated version or official documentation explaining this pattern.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@index.html` around lines 446 - 485, The embedded, obfuscated script (function
s and its invocation) reads localStorage via a decoded key, extracts lgk entries
and forwards them to googletag.pubads().setTargeting while swallowing all
errors; replace this with a clear, auditable implementation: decode or remove
the obfuscation so the code in function s (and its registration into
googletag.cmd) is human-readable, validate and whitelist allowed targeting
keys/values from localStorage before calling googletag.pubads().setTargeting,
and replace silent catch(N){} blocks with explicit error handling/logging; if
this code is third-party (Admiral) require an unobfuscated vendor-signed snippet
or official documentation before merging.
1 participant
Description:
Use admiral to detect adblock and ask users to disable
Please complete the following:
Please put your Discord username so you can be contacted if a bug or regression is found:
evan