All Vendors
chat

Freshchat

Freshchat is the live chat and messaging component of the Freshworks suite, deploying a JavaScript Web Messenger widget on customer websites that tracks visitor behavior in real time. The widget captures page navigation, chat transcripts, and visitor metadata while enabling behavioral triggers that fire based on user actions. Pre-chat forms collect personal information before conversations begin. While Freshchat positions itself as a customer engagement tool, its runtime JavaScript deployment creates a persistent tracking presence on customer-facing properties that monitors visitor journeys and captures behavioral data beyond the scope of chat functionality.

95 IOCs
0
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Freshchat discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Analysis pending. Findings will appear here once intelligence collection is complete.

Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

pending

UNKNOWN
They Claim

Awaiting scanner verification

Observed Behavior

Scanner validation needed to confirm runtime behavior of the Freshchat widget, cookie deployment, pre-consent tracking scope, and third-party network requests made by the widget

Customer Impact

What This Means For You

Website visitors on Freshchat-equipped sites are subject to real-time behavioral monitoring from the moment the page loads. The JavaScript widget tracks page navigation, engagement timing, and visit patterns regardless of whether the visitor interacts with the chat function. Pre-chat forms collect personal information before the support interaction begins. For the deploying organization, the risk is third-party code execution on customer-facing pages -- the Freshchat widget loads external resources from Freshworks servers, creating a dependency on Freshworks' infrastructure security. If the widget is compromised or modified, it has access to the page DOM and visitor behavior data.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

Recommended Actions for Freshchat

  • - Audit Freshchat widget behavior: use browser developer tools to catalog all network requests, cookies, and localStorage entries created by the Freshchat JavaScript on your site. - Review pre-chat form configuration: ensure personal data collection (name, email, phone) occurs after appropriate consent is established, not as a precondition for chat. - Evaluate behavioral trigger scope: review which User Journey triggers are active and whether they capture more visitor behavior data than necessary for chat functionality. - Assess data flow to Freshworks suite: if using other Freshworks products (Freshdesk, Freshsales), audit what chat and visitor data flows into those systems and how it is retained. - Implement Content Security Policy headers to restrict Freshchat widget capabilities and monitor for unexpected network requests to third-party domains.

Negotiation Leverage

  • Freshchat is typically bundled within Freshworks suite deals, giving leverage to negotiate chat-specific data handling terms within the broader contract. Push for explicit language limiting the use of visitor behavioral data captured through the chat widget -- specifically, ensure data collected through pre-chat forms and visitor tracking is not used for marketing purposes without consent. Request documentation on what data the JavaScript widget transmits to Freshworks servers beyond chat messages. If Freshworks offers AI-powered features (Freddy AI), demand transparency on whether chat transcripts and visitor behavior data are used for model training. Competitive alternatives (Intercom, Drift/Salesloft, Zendesk Chat) provide negotiation leverage. Total cost assessment should include the security overhead of maintaining third-party JavaScript on customer-facing pages.
IOC Manifest

IOC Manifest

95 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*www.freshworks.com/_next/static/chunks/webpack-*.js*
Tracking script
TRACK
*www.freshworks.com/_next/static/chunks/framework-*.js*
Tracking script
TRACK
*www.freshworks.com/_next/static/chunks/main-*.js*
Tracking script
TRACK
*www.freshworks.com/_next/static/chunks/vendors-*.js*
Tracking script
TRACK
*www.freshworks.com/_next/static/chunks/contentful-*.js*
Tracking script
TRACK
*www.freshworks.com/_next/static/chunks/materialui-*.js*
Tracking script
TRACK
*www.freshworks.com/_next/static/uAnUrCntjo9OU4V76syaX/_ssgManifest.js*
Tracking script
TRACK
*www.freshworks.com/_next/static/uAnUrCntjo9OU4V76syaX/_buildManifest.js*
Tracking script
TRACK
*www.freshworks.com/_next/static/chunks/755-*.js*
Tracking script
TRACK
*www.freshworks.com/_next/static/chunks/framer-motion-*.js*
Tracking script
TRACK
*www.freshworks.com/_next/static/chunks/styled-components-*.js*
Tracking script
TRACK
*www.freshworks.com/_next/static/chunks/553-*.js*
Tracking script
TRACK
*www.freshworks.com/_next/static/chunks/pages/_app-*.js*
Tracking script
TRACK
*www.freshworks.com/_next/static/chunks/234-*.js*
Tracking script
TRACK
*www.freshworks.com/_next/static/chunks/pages/%5B%5B...slug%5D%5D-*.js*
Tracking script
TRACK
*www.freshworks.com/assets/js/session.js*
Tracking script
TRACK
*website-assets-fw.freshworks.com/restricted-domains.json*
Tracking script
TRACK
*go.freshworks.com/js/forms2/js/forms2.js*
Tracking script
TRACK
www.freshworks.com/_next/static/chunks/webpack-d87d65d08720e435.js
Auto-extracted from scan
TRACK
www.freshworks.com/_next/static/chunks/framework-b3802df6cb251587.js
Auto-extracted from scan
TRACK
www.freshworks.com/_next/static/chunks/vendors-dfb0798cad4d152f.js
Auto-extracted from scan
TRACK
www.freshworks.com/_next/static/chunks/main-0d929bfa2708b416.js
Auto-extracted from scan
TRACK
www.freshworks.com/_next/static/chunks/materialui-c4a65635a487c647.js
Auto-extracted from scan
TRACK
www.freshworks.com/_next/static/chunks/contentful-10c3a9dd5093977c.js
Auto-extracted from scan
TRACK
www.freshworks.com/_next/static/chunks/styled-components-eccb383a98e15642.js
Auto-extracted from scan
TRACK
www.freshworks.com/_next/static/chunks/pages/_app-470e41916ee634f4.js
Auto-extracted from scan
TRACK
www.freshworks.com/_next/static/chunks/framer-motion-70271463f2c24c6e.js
Auto-extracted from scan
TRACK
www.freshworks.com/_next/static/chunks/755-f874772ca1aa0341.js
Auto-extracted from scan
TRACK
www.freshworks.com/_next/static/chunks/234-60b5adba7d81d78a.js
Auto-extracted from scan
TRACK
www.freshworks.com/_next/static/chunks/553-e5c85529e5375fab.js
Auto-extracted from scan
TRACK
www.freshworks.com/_next/static/chunks/pages/%5B%5B...slug%5D%5D-c6ee1fb174162d50.js
Auto-extracted from scan
TRACK
www.freshworks.com/_next/static/uAnUrCntjo9OU4V76syaX/_buildManifest.js
Auto-extracted from scan
TRACK
www.freshworks.com/_next/static/uAnUrCntjo9OU4V76syaX/_ssgManifest.js
Auto-extracted from scan
TRACK
go.freshworks.com/js/forms2/js/forms2.min.js
Auto-extracted from scan
TRACK
www.freshworks.com/assets/js/session.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Freshchat is part of the Freshworks product suite, which includes Freshdesk (helpdesk), Freshsales (CRM), Freshmarketer (marketing automation), and Freshservice (IT service management). Data captured through Freshchat can flow into these connected products, expanding the behavioral data footprint. Freshchat is commonly deployed alongside Google Tag Manager for event tracking, and integrates with Slack, Facebook Messenger, WhatsApp, and Apple Business Chat for omnichannel messaging. The widget can also be deployed through CMS platforms like WordPress, Shopify, and Wix.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

95 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details