Adsupply | Vendor Intelligence

How This Briefing Works

This report opens with key findings, then maps the gaps between what Adsupply discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

4 detections across 4 sites25% pre-consent activity

HIGH

Pre-Consent Activity

Adsupply was observed loading and executing before user consent was obtained on 25% of sites where it was detected.

GDPRePrivacy

Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

pending

UNKNOWN

They Claim

“Requires claims extraction via CDT”

Observed Behavior

Live website analysis pending

Customer Impact

What This Means For You

For legal: Session recording creates GDPR data breach notification obligations if storage compromised. For publishers: Ad placement performance data leaked to competing publishers optimizing similar layouts. For marketing: Behavioral targeting data has competitive intelligence value showing audience engagement patterns.

Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Adsupply

→Require Adsupply to execute post-consent only
→Implement 30-day data retention for ad interaction data
→Add ad network data sharing disclosure to privacy policy
→Audit network-wide data sharing scope

If You're Evaluating Adsupply

→Review DPA for ad network data controller/processor responsibilities
→Assess competitive leakage risk vs. ad network yield benefits

Negotiation Leverage

→Session recording without consent violates GDPR Article 6 - require post-consent execution or contract termination
→Tag manager deployment creates liability gaps - demand technical consent controls
→Ad placement data shared across network subsidizes competitor optimization - require publisher-specific data isolation

Runtime Detections

4 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: Captures ad engagement patterns for targeting optimization. Creates GDPR personal data processing obligations without documented legal basis.

BTI-C07Session Recording

Full session replay

Impact: Records conversion paths for attribution modeling. Every session creates GDPR data subject access request liability requiring multi-site reconstruction.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Executes ad tracking and session recording before consent collection. Violates ePrivacy Directive cookie consent requirements.

BTI-C15Tag Manager

Container/loader (neutral)

Impact: Deploys via GTM enabling dynamic updates without change control. Creates consent governance gaps.

IOC Manifest

77 INDICATORS

Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK

*www.adsupply.com/wp-content/plugins/cookie-law-info/lite/frontend/js/script.js*

Tracking script

TRACK

*www.adsupply.com/wp-includes/js/jquery/jquery-migrate.js*

Tracking script

TRACK

*www.adsupply.com/wp-includes/js/jquery/jquery.js*

Tracking script

TRACK

*www.adsupply.com/wp-content/plugins/elegant-elements-wpbakery/assets/js/min/elegant-fixes.js*

Tracking script

TRACK

*www.adsupply.com/wp-includes/js/dist/hooks.js*

Tracking script

TRACK

*www.adsupply.com/wp-includes/js/dist/i18n.js*

Tracking script

TRACK

*www.adsupply.com/wp-content/plugins/contact-form-7/includes/swv/js/index.js*

Tracking script

TRACK

*www.adsupply.com/wp-content/plugins/duracelltomi-google-tag-manager/dist/js/gtm4wp-contact-form-7-tracker.js*

Tracking script

TRACK

*www.adsupply.com/wp-content/plugins/contact-form-7/includes/js/index.js*

Tracking script

TRACK

*www.adsupply.com/wp-content/themes/ad_supply/js/app.js*

Tracking script

TRACK

*www.adsupply.com/wp-content/plugins/wp-smushit/app/assets/js/smush-lazy-load.js*

Tracking script

TRACK

*www.adsupply.com/wp-content/plugins/js_composer/assets/js/dist/js_composer_front.js*

Tracking script

TRACK

www.adsupply.com/wp-content/plugins/cookie-law-info/lite/frontend/js/script.min.js

Auto-extracted from scan

TRACK

www.adsupply.com/wp-includes/js/jquery/jquery.min.js

Auto-extracted from scan

TRACK

www.adsupply.com/wp-includes/js/jquery/jquery-migrate.min.js

Auto-extracted from scan

TRACK

www.adsupply.com/wp-content/plugins/elegant-elements-wpbakery/assets/js/min/elegant-fixes.min.js

Auto-extracted from scan

TRACK

www.adsupply.com/wp-includes/js/dist/hooks.min.js

Auto-extracted from scan

TRACK

www.adsupply.com/wp-includes/js/dist/i18n.min.js

Auto-extracted from scan

TRACK

www.adsupply.com/wp-content/plugins/contact-form-7/includes/swv/js/index.js

Auto-extracted from scan

TRACK

www.adsupply.com/wp-content/plugins/contact-form-7/includes/js/index.js

Auto-extracted from scan

TRACK

www.adsupply.com/wp-content/plugins/duracelltomi-google-tag-manager/dist/js/gtm4wp-contact-form-7-tracker.js

Auto-extracted from scan

TRACK

www.adsupply.com/wp-content/themes/ad_supply/js/app.js

Auto-extracted from scan

TRACK

www.adsupply.com/wp-content/plugins/wp-smushit/app/assets/js/smush-lazy-load.min.js

Auto-extracted from scan

TRACK

www.adsupply.com/wp-content/plugins/js_composer/assets/js/dist/js_composer_front.min.js

Auto-extracted from scan

Ecosystem

Ecosystem & Supply Chain

Mid-tier ad network connecting publishers to demand sources. Common co-deployments: Google Ad Manager (header bidding), Prebid (yield optimization), ad verification vendors. Placement data shared across publisher network.

Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

83 detection signatures across scripts, domains, cookies, and network endpoints