Cloudflare injecting fingerprinting script?

Hi,
Looks like the following browser fingerprinting script was injected by cloudflare which has led us to be blocked by tracking protection blockers on firefox.

https://widgetic.com/cdn-cgi/bm/cv/2172558837/api.js

I reviewed the bot management settings to confirm that bot fighting setting is turned off.

The said link is no longer active but we’re sure there might be others like it due to some configuration snafu from our end. Could you please shed more light on the issue? How can we get rid of such privacy obtrusive scripts entirely?

Bot Management I think?

Or, furthermore to troubleshoot would be:

  1. some Cloudflare app you are using
  2. Cloudflare Browser Insights as a part of Analytics
  3. Pro plan has got Mirage and Polish options (I saw some requests to Mirage script)
  4. Rocket Loader option, but it has got different script I believe

Bot management is available for enterprise plans only and I’m on a free plan. Haven’t set up Browser Insights. However I found some suspects-

  • Browser Integrity check (Enabled)

Evaluate HTTP headers from your visitors browser for threats. If a threat is found a block page will be delivered.

  • IP Geolocation (Enabled)
    This too relies on a certain http header…

I wonder if there’s a way to list all scripts injected by CF!

@MoreHelp #2234024

@MoreHelp #2234024

This is Bot Management. On lower plans there is only Bot Fight Mode, which uses the same script.

That website isn’t proxied by Cloudflare, so we can’t troubleshoot and offer any more advice than we already have.

1 Like

Cloudflare bot protection does check for TLS fingerprinting, that’s correct. It is a fundamental feature that I doubt can be disabled.

I’ve disabled bot management and the script in question is currently empty. So am I correct in assuming there isn’t a similar active script injected to my domain?
Imgur

which website? widgetic.com?

You can definitely check for yourself, but no, there shouldn’t.

All the injections will be from either a Cloudflare owned domain or possibly from the /cdn-cgi/ path (for installed apps, etc.).

1 Like

how can I check for myself? just load my domain’s homepage and inspect the scripts?

Yes. But even just downloading the HTML file, they are injected in there, if they are at all.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.