Sojern | Vendor Intelligence

How This Briefing Works

This report opens with key findings, then maps the gaps between what Sojern discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

111 detections across 108 sites12% pre-consent activity

MEDIUM

Pre-Consent Activity

Sojern was observed loading and executing before user consent was obtained on 12% of sites where it was detected.

GDPRePrivacy

Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

disclosure

CRITICAL

They Claim

“Pending claims extraction”

Observed Behavior

Runtime detection shows C07 (session recording), C09 (consent bypass), C14 (identity resolution), C15 (tag manager)

Customer Impact

What This Means For You

Hotels and airlines using Sojern face session recording liability exposing guest PII and payment flows. Identity resolution creates persistent profiles linking travel searches across competitive properties. Tag manager enables Sojern to add tracking partners without customer awareness or consent.

Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Sojern

→Audit Sojern tag manager for unauthorized third-party additions
→Implement session recording suppression for payment/PII entry flows
→Review identity resolution opt-out mechanisms and data deletion procedures

If You're Evaluating Sojern

→Document session recording scope and retention policies
→Request written confirmation that travel intent data is not sold to direct competitors
→Obtain technical specification for disabling identity resolution per-visitor

Negotiation Leverage

→Session recording: Full replay captures sensitive booking flows — require PII/payment redaction and explicit session recording consent.
→Identity resolution: Cross-property profiling links travel intent — negotiate competitor exclusions and demand data deletion rights.
→Tag manager control: Dynamic partner additions bypass customer oversight — require approval workflow for all third-party additions.
→Data sales: Travel intent signals sold to competitive properties — demand transparency on buyer identity and exclusion rights.

Runtime Detections

4 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C07Session Recording

Full session replay

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C14Identity Resolution

PII deanonymization

BTI-C15Tag Manager

Container/loader (neutral)

IOC Manifest

27 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK

*static.sojern.com/sdk/latest/sojern.js*

Tracking script

TRACK

*pixel.sojern.com/sdk/advertiser/id/*/track*

Tracking script

TRACK

*web.sojern.com/pd.js*

Tracking script

TRACK

*web.sojern.com/analytics*

Tracking script

TRACK

static.sojern.com/sdk/latest/sojern.min.js

Auto-extracted from scan

TRACK

pixel.sojern.com/sdk/advertiser/id/62666/track

Auto-extracted from scan

TRACK

web.sojern.com/pd.js

Auto-extracted from scan

TRACK

web.sojern.com/analytics

Auto-extracted from scan

Ecosystem

Ecosystem & Supply Chain

Sojern dominates travel/hospitality alongside Criteo, Google Hotel Ads, TripAdvisor, and Expedia Media Solutions. Session recordings feed into travel intent databases sold to competing properties.

Loads (4)

Metapixel Hotjar Linkedin Pardot

Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

43 detection signatures across scripts, domains, cookies, and network endpoints