ieretrofit.js suspicious on this website?

[polonus]

See: https://www.virustotal.com/nl/url/3031d5a715775ed46ae1f290140eadac36bce6704f15c08886ed310ca7927a65/analysis/1437863242/
Nothing: http://quttera.com/detailed_report/redes-loyola.blogspot.com
Infested? -> -https://www.blogger.com/static/v1/jsbin/1333113279-ieretrofit.js
See part of HTTP requests for https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~VB-FWB/detailed-analysis.aspx
Blocked request by uMatrix for: -http://gg.google.com/*
Security header info for gg.google.com site:
Strict-Transport-Security
   
Uh oh! Strict-Transport-Security does not appear to be found in the site's HTTP header, so browsers will not try to access your pages over SSL firstContent Security Policy
   
Uh oh! We did not detect Content-Security-Policy , x-webkit-csp, or even x-webkit-csp-report-only in the site's HTTP header, making XSS attacks more likely to succeed.

.Server Information
   
Uh oh! Server: was found in this site's HTTP header, possibly making it easier for attackers to know about potential vulnerabilities that may exist on your site!

Cross Domain Meta Policy
   
Uh oh! Permitted-Cross-Domain-Policies does not appear to be found in the site's HTTP header, so it's possible that cross domain policies can be set by other users on your site and be obeyed by Adobe Flash and pdf files..

pol

[polonus]

Update of persistent issues with ieretrofit.js -> example scan: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fwww.blogger.com%2Fstatic%2Fv1%2Fjsbin%2F1333113279-ieretrofit.js
Consider my posting here: https://forum.avast.com/index.php?topic=155632.0
From https://www.blogger.com/static/v1/widgets/329677814-widgets.js ->

Code: [Select]

<!DOCTYPE html><html><head><link rel="stylesheet" href="https://www.gstatic.com/_/hr/_/ss/k=homeroom.homeroom_share_widget.-44m7dvj81p6i.L.X.O/m=share_widget/d=1/rs=AK3ymSXg82Jb33pWwWJzud2Oc1IoMJ7d9g"></head><body><div class="hrIdWidgetContainer"></div><script type="text/javascript">var _hrHost_ = "https:\/\/classroom.google.com"; var _F_jsUrl = "https:\/\/www.gstatic.com\/_\/hr\/_\/js\/k\x3dhomeroom.homeroom_share_widget.en_US.bLesL0LBndk.O\/m\x3dshare_widget\/rt\x3dj\/d\x3d1\/rs\x3dAK3ymSWrY-ITpchTUeXEkTkD37_58MDCyA";</script><script id="base-js" src="https://www.gstatic.com/_/hr/_/js/k=homeroom.homeroom_share_widget.en_US.bLesL0LBndk.O/m=share_widget/rt=j/d=1/rs=AK3ymSWrY-ITpchTUeXEkTkD37_58MDCyA"></script></body></html>  -> "-https://www.gstatic.com/classroom/sharewidget/widget_stable.html?usegapi\u003d1"},"ytshare"
-> "-https://ssl.gstatic.com/microscope/embed/"},"savetowallet":
-> -//csi.gstatic.com/csi",Od="//www.blogger.com/img/widgets/icon_contactform_cross.gif",Pd="/rearrange?
-> "-http://csi.gstatic.com/csi",ej="-http://search.yahoo.com/mrss/",fj=
"https",gj="https:",hj="https://csi.gstatic.com/csi",ij="-https://m.facebook.com/sharer.php?u="
-> -https://www.gstatic.com/classroom/sharewidget/widget_stable.html?usegapi\u003d1"
-> -https://csi.gstatic.com/csi",ij="https://m.facebook.com/sharer.php?u=
And more interesting where we wind up from here: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fwww.gstatic.com%2Fclassroom%2Fsharewidget%2Fwidget_stable.html%3Fusegapi%5Cu003d1%22%7D%2C%22ytshare -> -https://www.gstatic.com/_/hr/_/js/k=homeroom.homeroom
_share_widget.en_US.bLesL0LBndk.O/m=
share_widget/rt=j/d=1/rs=AK3ymSWrY-ITpchTUeXEkTkD37_58MDCyA
For what happens here, read: http://docs.yworks.com/yfiles/doc/developers-guide/mvc_controller.html

polonus  (volunteer website security analyst and website error-hunter)

P.S. Interesting link: https://developer.linkedin.com/plugins/share

D

[polonus]

Update of another blog website with ieretrofit.js as possible malware: https://www.virustotal.com/nl/url/0a2c47c9985d47d190bd7c20c23021a9133ba2cd4c4a0618c88649d5bfc1f64f/analysis/1442506219/
In the list of scripts included we find: -https://www.blogger.com/static/v1/jsbin/3161104989-ieretrofit.js
Read how some are disbling it: http://stackoverflow.com/questions/5774618/disabling-ieretrofit-js-on-blogger;
the problem is caused by a javascript that Blogger runs on IE browsers to help display pages properly.  (If you download the source HTML and comment out this script then the background appears normal), while the code goes back to 2012! -> -https://code.google.com/p/tiensilun/downloads/detail?name=2904029546-ieretrofit.js&can=2&q=
consider: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fwww.blogger.com%2Fstatic%2Fv1%2Fjsbin%2F3161104989-ieretrofit.js
Now on the website where this was detected;
see where it was not flagged: http://quttera.com/detailed_report/sudo2.blogspot.com
and also not flagged here: https://sitecheck.sucuri.net/results/sudo2.blogspot.com#sitecheck-details
While VirusWatch Archives flags this blog for unknown_html.

polonus