Our startup does attribution: user clicked ad, user looked at these 4 pages, user filled out form, receptionist qualified lead, customer bought, you got ROI. On the customer's website, it behaves like a combo of Google Analytics, CallRail and Hubspot.
And then Google Ads scanner flagged our script as "malicious" software and shut down all the ads, of all the businesses, us and our friends, that have it on their site. YIKES. Company killer if we can't get this fixed.
We went to customer support, they said the script is malicious and our only option is to take it down on our site. No can do, this is our startup.
Here's what it does: * It tracks user activity page by page and even movement, throughout the session, after they come from any source, one of which is Google ads * Duplicates Callrail, using number swapping and custom phone numbers for each session, so we can attribute phone calls. * Provide an API that clients can use to wrap up their contact form submissions into a JSON object and do an AJAX call, allowing us to intercept the inquiries on their site. (Customers must implement it specifically) * Embedded in the script are the following: fingerprint.js, a Call-Rail style number swapping script (custom), and jQuery. That's pretty much it.
Interestingly, we haven't run afoul of the main scanner (Search Console Security Issues), it's just the ad scanner (YOur Google Ads are disapproved).
Does anyone have any insight into A) which part of this they think is the problem, with emphasis on any direct experience you have or B) how we can get details from the technical team on what the issue is ?
p.s. - For various reasons owing to the large audience here and people we know, we can't disclose the company names or URLs here. I'm happy to sidebar with specific people though if you're willing to help.
It also goes against user’s rights for privacy and tracking prevention that they have control over.
I wouldn’t be surprised if google ads classifies fingerprinting as malicious.
Remove it from the bundle and try again.
Additionally, the ability to intercept form submissions can also be seen as malicious.
Especially if it’s a 3rd party script doing the interception and making AJAX calls to another domain.
This is basically what malicious scripts do.
HTH I have been building adtech for Google Ads etc for 15+ years. Happy to talk more if needed. But I’m pretty sure the two changes above will fix it.
Do you webpack/rollup the entire thing together, or is fingerprint/jquery included as-is?