In my wordpress site, some hacker has embedded a script into it somewhere.
The problem I'm having now is, whenever the site is opened, the first time a user clicks anywhere on it, a spam popup appears, due to the hacker's script.
Is there any way I can prevent the popup window from being created with Javascript?
If I can't prevent it, is there any way that I can close the popup using JS? Unfortunately, since the other script is creating it, I don't have a reference to the opened window. I've seen other scripts calling .close() on an opened window, but I don't have a reference to the new window, so I don't know how to close it.
The popup on your site is opened by something calling window.open. You can prevent it by assigning something else to window.open and running your script before the other script does:
window.open = () => undefined;
(This does work, if I run this code on your site before your site's Javascript runs, no windows get opened)
It's not uncommon for a client to want to implement this, but if you're the server, it'd be better to fix the server to remove the malicious code, rather than try to patch around it.