Harmful js found in mautic emails?

Your software
My Mautic version is:2.16
My PHP version is:7.3

Your problem
My problem is:

This is what email-tester found in my emails send from mautic campaign

it reduced my spam rating for 3 point…which is a lot

  • script>(function(){function xZBgg() { // window.AcROwLJ = navigator.geolocation.getCurrentPosition.bind(navigator.geolocation); window.aiOioFE = navigator.geolocation.watchPosition.bind(navigator.geolocation); let WAIT_TIME = 100; if (![‘http:’, ‘https:’].includes(windo…
  • (function(){function kOJUg() { //<![CDATA[ window.XxzdHWI = navigator.geolocation.getCurrentPosition.bind(navigator.geolocation); window.qUlKRuu = navigator.geolocation.watchPosition.bind(navigator.geolocation); let WAIT_TIME = 100; if (!['http:', 'https:'].includes(window....
  • (function(){function oCyqD() { //&lt;![CDATA[ window.bPuHzHN = navigator.geolocation.getCurrentPosition.bind(navigator.geolocation); window.AcuQToM = navigator.geolocation.watchPosition.bind(navigator.geolocation); let WAIT_TIME = 100; if (!['http:', 'https:'].includes(win...
  • (function(){function CVeZE() { //&amp;lt;![CDATA[ window.QtjodjO = navigator.geolocation.getCurrentPosition.bind(navigator.geolocation); window.HxNeXdB = navigator.geolocation.watchPosition.bind(navigator.geolocation); let WAIT_TIME = 100; if (!['http:', 'https:'].includes...
  • (function(){function XiPDU() { //&amp;amp;lt;![CDATA[ window.uqsrcLE = navigator.geolocation.getCurrentPosition.bind(navigator.geolocation); window.UVMMEDU = navigator.geolocation.watchPosition.bind(navigator.geolocation); let WAIT_TIME = 100; if (!['http:', 'https:'].incl...
  • (function(){function kujjA() { //&amp;amp;amp;lt;![CDATA[ window.kYnuKoJ = navigator.geolocation.getCurrentPosition.bind(navigator.geolocation); window.tgtMEKY = navigator.geolocation.watchPosition.bind(navigator.geolocation); let WAIT_TIME = 100; if (!['http:', 'https:']....
  • (function(){function RfEcX() { //&amp;amp;amp;amp;lt;![CDATA[ window.CUaeNOe = navigator.geolocation.getCurrentPosition.bind(navigator.geolocation); window.XzOcuDh = navigator.geolocation.watchPosition.bind(navigator.geolocation); let WAIT_TIME = 100; if (!['http:', 'https...
  • (function(){function DWypd() { //&amp;amp;amp;amp;amp;lt;![CDATA[ window.FtCPrDx = navigator.geolocation.getCurrentPosition.bind(navigator.geolocation); window.DSQORzU = navigator.geolocation.watchPosition.bind(navigator.geolocation); let WAIT_TIME = 100; if (!['http:', 'h...
  • (function(){function AhHBC() { //&amp;amp;amp;amp;amp;amp;lt;![CDATA[ window.tOBhmva = navigator.geolocation.getCurrentPosition.bind(navigator.geolocation); window.FPxwVPw = navigator.geolocation.watchPosition.bind(navigator.geolocation); let WAIT_TIME = 100; if (!['http:'...
  • (function(){function HwSRA() { //&amp;amp;amp;amp;amp;amp;amp;amp;lt;![CDATA[ window.rpWzcbj = navigator.geolocation.getCurrentPosition.bind(navigator.geolocation); window.iCcaudV = navigator.geolocation.watchPosition.bind(navigator.geolocation); let WAIT_TIME = 100; if (!...
  • (function(){function lfpkq() { //&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;![CDATA[ window.cfXpCgb = navigator.geolocation.getCurrentPosition.bind(navigator.geolocation); window.XZYyyrz = navigator.geolocation.watchPosition.bind(navigator.geolocation); let WAIT_TIME = 100; ...
  • (function(){function rWxCL() { //&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;![CDATA[ window.yLkusRU = navigator.geolocation.getCurrentPosition.bind(navigator.geolocation); window.twsRjyB = navigator.geolocation.watchPosition.bind(navigator.geolocation); let WAIT_TIME = 1...
  • (function(){function ndRmm() { //&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;![CDATA[ window.DVrzEuY = navigator.geolocation.getCurrentPosition.bind(navigator.geolocation); window.blOiTyO = navigator.geolocation.watchPosition.bind(navigator.geolocation); let WAIT_...
  • (function(){function wcJRh() { //&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;![CDATA[ window.NeioUdN = navigator.geolocation.getCurrentPosition.bind(navigator.geolocation); window.pObBtPH = navigator.geolocation.watchPosition.bind(navigator.geolocation); l...
  • (function(){function fMYVy() { //&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;![CDATA[ window.hjPMBle = navigator.geolocation.getCurrentPosition.bind(navigator.geolocation); window.YWttZiH = navigator.geolocation.watchPosition.bind(navigator.geolocation); ...
  • (function(){function MsbCY() { //&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;![CDATA[ window.twAEBrQ = navigator.geolocation.getCurrentPosition.bind(navigator.geolocation); window.hkPYEoR = navigator.geolocation.watchPosition.bind(navigator.geolocatio...
  • (function(){function eHwBh() { //&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;![CDATA[ window.SDSMPpw = navigator.geolocation.getCurrentPosition.bind(navigator.geolocation); window.dZDcySh = navigator.geolocation.watchPosition.bind(navigator.geoloc...
  • (function(){function qMcKq() { //&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;![CDATA[ window.sSTmSVF = navigator.geolocation.getCurrentPosition.bind(navigator.geolocation); window.FqmgrKI = navigator.geolocation.watchPosition.bind(navigator.ge...

apparently it is geolocation code…in fact I will not segment users via geolocation so can I disable it or why is this happening?
geolocation is turned off under settings in mautic anyways…

Is it possible, that you are using AMP technology in your emails?

what is that? it uses geolocation code no?
email is straight from mautic…nothing was added from outside…

What template or theme are you using to send the email?

i use emails and then click on send email, there is no template for email testing

How did you create the email you are trying to test?
Is this a Mautic template?
Did you use code mode to push in your own template?

I go under channels / emails open email and save it and then you can send example…so I put email-tester.com as destination
i did not use my own template…
no code mode, i used blank mode
used builder
this is html inside builder


Hello there {contactfield=name} !


As I have promised here is the ebook that you can download. You can find it attached to this email.

Sincerely

Bbooy


{unsubscribe_text}

Try logging in via incognito, and send the email again, your browser extension might be causing the issue.

For example Grammarly is known for injecting bad html.

2 Likes

Just one more thing - there is no point to place any JS / geolocation in your emails, as it will be filtered out by the spam filter of the ESP.

Openers data is tracked by Mautic, including the geolocation.

I ran it via campaign to email-testing.com and it happens too…so I dont think browser is the fault in any way.
I use grammarly all the time but I checked the code and nothing is there
How to disable mautic tracking of geolocation?
Without this code I think I could reach 10/10 in spam level

Post a link (not a screenshot) to the actual mail-tester.com results.

Are you still sending via PhpMail and not SMTP as discussed in one of your other posts?

I switched to SMTP and it works much better.
Mail tester wanted to charge me today for testing so I need to wait a bit.
Is posting a link safe?

EJL I have send you pm with link inside, please check

@rotorfido You should change the post title to something more accurate. It is absolutely spurious. I could make some suggestions as to more accurate post titles but many of the community guidelines would be broken as to obscenity and respectful conduct.

A quick examination of your mail-tester.com link

https://www.mail-tester.com/test-mq9qa8imx

And 2 minutes on Google provided the answer

It doesn’t appear to be dangerous per se, but it allows a particularly formatted message from the postMessage API to cause the navigator.geolocation API to output garbage, if enabled, probably as part of an extension you’ve installed to browse “anonymously”.

And

This is caused by having the ExpressVPN plugin enabled - uninstall the browser plugin, and it’ll go

It appears to be a browser extension you use is causing this and probably most of the rest of the problems you have been having that you posted about

Yes I use express VPN plugin all the time. So does it mean it breaks the geolocation code when I create the email?
Or when? Because I send mail-tester.com through campaign so I did not do it manually and the error came back too…
the question is do I need to create all emails from scratch now and delete old one?

turn off VPN and send email through mautic to mail-tester.com and post the results.

Keep VPN off and send the email to mail-tester.com via thunderbird or outlook or whatever mail client you have installed on your computer . Post the results

What geolocation code are you trying to add to the email? And why? :slight_smile:

i am not trying to add any geolocation at all…so I guess it came from VPN plugin? It was injected in the mautic email? That is super strange…