All Vendors
dsp

Adform

DSP and ad serving platform. High liability exposure from session recording and persistent tracking without consent. Medium revenue impact from bidding strategy leakage.

52 IOCs85 detections1% pre-consent84 sites
70
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Adform discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

85 detections across 84 sites1% pre-consent activity
MEDIUM

Pre-Consent Activity

Adform was observed loading and executing before user consent was obtained on 1% of sites where it was detected.

GDPRePrivacy
Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

pending

UNKNOWN
They Claim

Requires claims extraction via CDT

Observed Behavior

Live website analysis pending

Customer Impact

What This Means For You

For security teams: Ad tracking infrastructure creates reconnaissance surface revealing site visitor demographics. For legal: Multi-site session recording creates complex GDPR jurisdiction questions and international data transfer obligations. For marketing: RTB bidding data leaked to exchanges reveals audience valuation, enabling competitors to outbid on your highest-value segments. For sales: Conversion attribution data shows which touchpoints drive revenue, leaking funnel optimization insights.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Adform

  • Require Adform to execute post-consent only with documented legal basis
  • Implement 30-day data retention for RTB and conversion data
  • Add DSP data sharing disclosure to privacy policy including ad exchange list
  • Audit Standard Contractual Clauses for international RTB data transfers

If You're Evaluating Adform

  • Review DPA for RTB data controller/processor responsibilities
  • Assess bidding strategy leakage cost vs. programmatic efficiency gains
  • Calculate competitive intelligence risk: (Adform fee + bidding data value to competitors)

Negotiation Leverage

  • Session recording without consent violates GDPR Article 6 - require post-consent execution or contract termination
  • Persistent tracking extends liability window - demand 30-day retention maximum with automated deletion
  • RTB data sharing reveals bidding strategies to competitors - require complete ad exchange audit rights
  • International data transfers via ad exchanges require Standard Contractual Clauses - demand DPA amendment documenting GDPR Chapter V compliance
Runtime Detections

Runtime Detections

3 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C07Session Recording

Full session replay

Impact: Records conversion paths and attribution touchpoints across publisher network. Every session creates GDPR data subject access request liability requiring multi-site reconstruction.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Executes ad tracking and session recording before consent collection. Documented in pre-consent timeline analysis. Violates ePrivacy Directive and GDPR consent requirements.

BTI-C13Persistence Mechanisms

Long-lived identifiers

Impact: Maintains audience profiles across campaigns via persistent identifiers. Extends GDPR compliance obligations to all historical ad interactions spanning months or years.

IOC Manifest

IOC Manifest

50 INDICATORS

Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*site.adform.com/front-end/scripts/runtime.*.js*
Tracking script
TRACK
*site.adform.com/front-end/scripts/vendors.*.js*
Tracking script
TRACK
*site.adform.com/front-end/scripts/Story.*.js*
Tracking script
TRACK
*site.adform.com/front-end/scripts/tracking.*.js*
Tracking script
TRACK
*site.adform.com/front-end/plugins/lazysizes.js*
Tracking script
TRACK
site.adform.com/front-end/scripts/runtime.0a8e34b34db26234eca9.js
Auto-extracted from scan
TRACK
site.adform.com/front-end/scripts/vendors.6a3ab01e4523e8fd9627.js
Auto-extracted from scan
TRACK
site.adform.com/front-end/scripts/Story.6b990263516f47a95f04.js
Auto-extracted from scan
TRACK
site.adform.com/front-end/scripts/tracking.a9cf96fd45372d97d66f.js
Auto-extracted from scan
TRACK
site.adform.com/front-end/plugins/lazysizes.min.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Core ad tech infrastructure connected to major ad exchanges and SSPs. Common co-deployments: Google Ad Manager (publisher-side), TradeDesk (competing DSP), LiveRamp (identity resolution), ad verification vendors. RTB data shared across programmatic ecosystem.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

52 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details