All Vendors
scheduling

RevenueHero

RevenueHero exhibits cross-domain synchronization and consent bypass in scheduling infrastructure. While appearing as calendar integration, runtime shows visitor identity syncing across domains before consent resolution.

13 IOCs4 detections50% pre-consent4 sites
70
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what RevenueHero discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

4 detections across 4 sites50% pre-consent activity
CRITICAL

Pre-Consent Activity

RevenueHero was observed loading and executing before user consent was obtained on 50% of sites where it was detected.

GDPRePrivacy
Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

scheduling_sync

MODERATE
They Claim

Pending claims extraction

Observed Behavior

Runtime shows cross-domain sync before consent for scheduling state

Customer Impact

What This Means For You

Sales teams gain scheduling automation but expose visitor identity through cross-domain sync (Broker). Legal teams face consent bypass liability from immediate activation. RevOps must audit cross-domain data flow to prevent scheduling behavior leakage.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use RevenueHero

  • Verify cross-domain sync timing against consent framework
  • Map domain topology - which domains participate in visitor sync
  • Audit scheduling data flow to CRM and external platforms

If You're Evaluating RevenueHero

  • Require consent-first cross-domain sync activation
  • Demand technical documentation of sync methodology and domain scope
  • Negotiate data isolation ensuring scheduling behavior remains internal

Negotiation Leverage

  • C08+C09: Demand DPA amendment requiring consent before cross-domain identity sync
  • Request list of ALL domains participating in visitor synchronization
  • Require audit rights covering cross-domain data flow and scheduling state
  • Negotiate data retention limits for cross-domain visitor records
Runtime Detections

Runtime Detections

2 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C08Cross-Domain Sync

Identity stitching

BTI-C09Consent Bypass

Ignoring CMP signals

IOC Manifest

IOC Manifest

12 INDICATORS

Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*app.revenuehero.io/scheduler.js*
Tracking script
TRACK
assets.revenuehero.io
Tracking script
TRACK
app.revenuehero.io/scheduler.min.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

RevenueHero operates in sales engagement layer, typically integrated with CRM (Salesforce, HubSpot) and calendar systems (Google Calendar, Outlook). Cross-domain sync enables scheduling state persistence but creates identity exposure when sync occurs before consent. Often co-deployed with de-anonymization vendors, multiplying visitor identification surface.
Loads (1)
Metapixel
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

13 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details