Unbundle-Rewrite-Rebundle: Runtime Detection and Rewriting of Privacy-Harming Code in JavaScript Bundles

TL;DR

This paper introduces URR, a runtime system that detects and rewrites privacy-harming JavaScript code within bundled scripts at runtime, enhancing privacy without breaking functionality.

Contribution

URR is a novel runtime approach that analyzes JavaScript ASTs to identify and replace privacy-harming code in bundled scripts, addressing a key privacy gap.

Findings

Precision of 1.00 in detecting harmful code

Recall of 0.95 for identifying privacy-harming libraries

Rewrites executed in 0.43 seconds per script

Abstract

This work presents Unbundle-Rewrite-Rebundle (URR), a system for detecting privacy-harming portions of bundled JavaScript code and rewriting that code at runtime to remove the privacy-harming behavior without breaking the surrounding code or overall application. URR is a novel solution to the problem of JavaScript bundles, where websites pre-compile multiple code units into a single file, making it impossible for content filters and ad-blockers to differentiate between desired and unwanted resources. Where traditional content filtering tools rely on URLs, URR analyzes the code at the AST level, and replaces harmful AST sub-trees with privacy-and-functionality maintaining alternatives. We present an open-sourced implementation of URR as a Firefox extension and evaluate it against JavaScript bundles generated by the most popular bundling system (Webpack) deployed on the Tranco 10k. We evaluate URR by precision (1.00), recall (0.95), and speed (0.43s per script) when detecting and rewriting three representative privacy-harming libraries often included in JavaScript bundles, and find URR to be an effective approach to a large-and-growing blind spot unaddressed by current privacy tools.