Adobe Pops Above Google to Flash Apple (and Opera) Users

Jesse Stay, brought to my attention earlier, with the screenshot below the code, that Adobe was activating pop-ups through Google Adsense; of course this shouldn’t happen, since Google doesn’t allow such actions, in their ads. I went to check in out for myself, and got nil. I immediately assumed that it was limited to Mac, and went in search of the User-Agent check, and found it after about 5 minutes.

Update: The rest of this article is a bit technical, if you would like a less technical description, you should go read Adobe and Google Sitting in a Tree.

Below is the source of the issue:

document.write('<!-- Template Id = 2,593 Template Name = Banner Creative (Flash) - In Page --><!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"\"><\/script>');document.write('\n');

function DCFlash(id,pVM){
var swf = "";
var gif = "";
var minV = 8;
var FWH = ' width="300" height="250" ';
var url = escape("");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
var winH = 400;
var winL = 0;
var winT = 0;

var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'"';
var bgo=(bg=="same as SWF")?"":'<param name="bgcolor" value="#'+bg+'">';
var bge=(bg=="same as SWF")?"":' bgcolor="#'+bg+'"';

function FSWin(){
 if((openWindow=="false")&&(id=="DCF0"))alert('openWindow is wrong.');
 {winL=Math.floor((screen.availWidth-winW)/2);winT=Math.floor((screen.availHeight-winH)/2);},id,"width="+winW+",height="+winH+",top="+winT+",left="+winL+",status=no,toolbar=no,menubar=no,location=no");}this.FSWin = FSWin;

 var adcode='<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" id="'+id+'"'+FWH+'>'+
 '<param name="movie" value="'+swf+'"><param name="flashvars" value='+fv+'><param name="quality" value="high"><param name="wmode" value="'+wmode+'"><param name="base" value="'+swf.substring(0,swf.lastIndexOf("/"))+'"><PARAM NAME="AllowScriptAccess" VALUE="'+dcallowscriptaccess+'">'+bgo+
 '<embed src="'+swf+'" flashvars='+fv+bge+FWH+' type="application/x-shockwave-flash" quality="high" swliveconnect="true" wmode="'+wmode+'" name="'+id+'" base="'+swf.substring(0,swf.lastIndexOf("/"))+'" AllowScriptAccess="'+dcallowscriptaccess+'"></embed></object>';
 if(('j'!="j")&&(typeof dclkFlashWrite!="undefined")){dclkFlashWrite(adcode);}else{document.write(adcode);}
 document.write('<a target="_blank" href="'+unescape(url)+'"><img src="'+gif+'"'+FWH+'border="0" alt="" galleryimg="no"></a>');

var pVM=0;
var DCid=(isNaN("224918296"))?"DCF0":"DCF224918296";
if(navigator.plugins && navigator.mimeTypes.length){
 var x=navigator.plugins["Shockwave Flash"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
 window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal args)\nCall '+DCid+'_DoFSCommand(command, args)\nEnd Sub\n',"VBScript");}
eval("function "+DCid+"_DoFSCommand(c,a){if(c=='openWindow')o"+DCid+".FSWin();}o"+DCid+"=new DCFlash('"+DCid+"',pVM);");

document.write('\n<noscript><a target=\"_blank\" href=\"\"><img src=\"\" width=\"300\" height=\"250\" border=\"0\" alt=\"\" galleryimg=\"no\"></a></noscript>\n');

<script src="">
function dclkToObject(id) {
 return (document.layers[id])?eval(document.layers[id]):null;
 else if(document.all && !document.getElementById){
 return (eval("window."+id))?eval("window."+id):null;
 else if(document.getElementById && {
 return (document.getElementById(id))?eval(document.getElementById(id)):null;

function dclkFlashWrite(string){

function dclkFlashInnerHTML(htmlElementId,code){
 var x=dclkToObject(htmlElementId);
 else if(document.layers){;
Adobe Ad

Adobe pops up on a Mac

The interesting thing I spotted quite quickly is that it is also going after Opera, don’t ask me why, that’s pretty obscure. I immediately tested it out, just to see, and ended up getting the pop-up.

After looking at the code for about a half hour, I still don’t know what everything is, and exactly how it’s getting past Google, I also don’t know how ad’s are created, because I’ve never bothered to look at it.  So I’m not sure, if this is something anyone could execute, or if Google is allowing it. So it’s possible that there is a vulnerability in Adsense.

What I can tell after looking at the code, is that they are targeting Apple, and Opera, users, as well as using javascript to activate flash, in the background.

First they are setting the DCid as either DCF0 or DCF224198296, this should always validate as false and the will set DCid as DCF224198296. Then, it goes on to check if the browser uses plugins and has at least any values, if it results in true it attempts to setup ShockwaveFlash and perform a version check on it, setting the variable pVM to the version number. If that statement failed, it assumes you are using IE and initializes using ActiveX.

I don’t understand exactly what is going on in the eval, so I can’t say much about it, besides it calls DCFlash with the DCid(“DCF224198296”) and the pVM(“Flash Version”).

I apologize if the rest of this is rushed for now, I’m getting a bit tired.

The DCFlash function then initializes an assortment of variables, before setting up the FSWin function.
FSWin checks to see if the window is already open or the DCid was set in error to DCF0, it then checks to see if the window is centered and gather your screen size for offsets on the window border. Following FSWin is the window initialization, which disables all navigation, in that window.

Next,  is the User-Agent analysis, which first check to make sure that your current Flash version is at minimum Vers. 8, it then checks to see if you are using either a Mac or Opera, if you aren’t the value is less than 0, returning true, this then compares in with window==”false”, which is true, in an or statement, which will return false, if both are set. If this test of the browser conditions fail, either using an old version of Flash, or using a Mac, or Opera it will default to just the default hyperlinked gif. Otherwise, it sets up Flash to be displayed in the window pain.

During the course, of writing this the test ad I was using has disappeared, but I’ll see if I can gather any more of the code. One thing I found odd, is that the ad was stored within an iFrame, which I couldn’t find with any of Google’s other Adsense ads, I managed to find a representation of using an iFrame, after I woke up.

  • Pingback: Tweets that mention Adobe Pops Above Google to Flash Apple (and Opera) Users | The Innovationist --

  • It doesn't matter how they are doing it – it's horrible practice.

    This was happening to me several times while going through Reader, and I kept checking to see if I had any other windows open. As I didn't, it was coming through one of the feeds. Look, Adobe. I don't care if you love Apple. I hate your ads.

  • LOL

    Louis, Adobe loves Apple so much, they only wanted to annoy Mac users,
    and the occasional Opera user, I admit, that's one of the most
    annoying ads, I've seen in nearly a decade.

  • jg

    please learn proper use of the apostrophe.

    “Adobe was activating pop-up’s through Google” makes no sense.

  • Doug

    Nit-pick: s/window pain/window pane/

  • I had hoped these ads would somehow work on non flash devices. Good find, and review.

  • Desparate acts I presume to support flash developers?

    I want those flash popups on my ipad 🙂

  • Mike

    What you are seeing is a DoubleClick rich media ad, nothing new at all.

    Since the merger, the DoubleClick and AdWords platforms have been combined, so now larger advertisers DC rich media campaigns can appear in AdSense blocks and vice versa.

  • Well that is comforting, to know. /sarcasm

    That just means it's even easier for a regular person to do something
    like this. For now, I'll avoid AdSense as much as I can.

  • As did several other people. The title probably should have been Mac and Opera users. A large number of people thought I was referring to iPhone/iPad devices as well.

  • Mike

    I am just pointing out, this is not an exploit or hack.

    Regular people can't do this. Last time I checked there was a $10k/mo minimum to get on the DART platform.

    If you don't like Google's editorial review policies for rich media ads, you should contact them about it.

  • I never called this implementation an exploit or hack, except in the preliminary anaylsis, and recognition that this has the possibility to be used as an exploit vector, but I understand what you're saying.

    I guess if it's $10k/mo, it is limiting to a regular person.

    As far as Google's editorial review policies, they did remove it after about 10 hours, so they obviously picked up on it fairly quickly. It would be bothersome for them to analyze all the RMA's, I'd say.

  • Oh I understood, you were clear about it. It was just the hacker in me hoping that Adobe had backdoored flash in some form on iPhone OS 😉

    My soapbox

  • You were also clear, about what you meant, but I was shocked at some
    people who it appeared looked no further than the title, and were
    commenting that they didn't understand how it would work on an
    iPhone/iPad. It would have been interesting if Adobe would have found
    a way to backdoor Flash onto the devices, that would have shown Apple.

  • Makes you wonder if others could do so without rooting the device…

  • Are you sure the ads were served via Google Ad Sense? I have been looking into this, and from what I understand, we did not distribute any of the ads via AdSense.

    mike chambers

  • Mike, they were served by AdSense, but they originated from Doubleclick.

  • Pingback: Adobe Targets Mac Owners and Opera Users In An Ad Blitz | I Love Apple Ad Campaign()

  • Thanks. I am still looking into to this and trying to figure out what is going on.

    mike chambers

  • Are you sure the ads were served via Google Ad Sense? I have been looking into this, and from what I understand, we did not distribute any of the ads via AdSense.

    mike chambers

  • Mike, they were served by AdSense, but they originated from Doubleclick.

  • Thanks. I am still looking into to this and trying to figure out what is going on.

    mike chambers

  • Pingback: Adobe and Google Sitting in a Tree? Or Did Adobe Just Pwn Google? | Stay N' Alive()