My Company Hired someone outside on up upwork for cheap to optimize for lighthouse score. He asked me to review what they did and I'm trying to figure out exactly what they did. Our scores definitely went up but it looks like a special set of rules for lighthouse-chrome and GTMetrix agents that ignore certain things in order to get a better score.
Can anyone decipher this and tell me if this is just a hack or legit?
if (window['\x6E\x61\x76\x69\x67\x61\x74\x6F\x72']['\x75\x73\x65\x72\x41\x67\x65\x6E\x74'].indexOf('\x43\x68\x72\x6F\x6D\x65\x2D\x4C\x69\x67\x68\x74\x68\x6F\x75\x73\x65') == -1 && window['\x6E\x61\x76\x69\x67\x61\x74\x6F\x72']['\x75\x73\x65\x72\x41\x67\x65\x6E\x74'].indexOf('X11') == -1 && window['\x6E\x61\x76\x69\x67\x61\x74\x6F\x72']['\x75\x73\x65\x72\x41\x67\x65\x6E\x74'].indexOf('\x47\x54\x6D\x65\x74\x72\x69\x78') == -1) {
var script_loaded = !1;
function loadJSscripts() {
console.log("Loading scripts 18000ms"), setTimeout(function() {
if (!script_loaded) {
script_loaded = !0;
var t = document.getElementsByTagName("script");
for (i = 0; i < t.length; i++) null !== t[i].getAttribute("data-src") && (t[i].setAttribute("src", t[i].getAttribute("data-src")), delete t[i].dataset.src);
var e = document.getElementsByTagName("link");
for (i = 0; i < e.length; i++) null !== e[i].getAttribute("data-href") && (e[i].setAttribute("href", e[i].getAttribute("data-href")), delete e[i].dataset.href);
setTimeout(function() {
document.dispatchEvent(new CustomEvent("StartAsyncLoading")), document.dispatchEvent(new CustomEvent("StartKernelLoading"))
}, 400)
}
}, 9e3)
}
function loadJSscriptsNow() {
if (!script_loaded) {
console.log("now ..."), script_loaded = !0;
var t = document.getElementsByTagName("script");
for (i = 0; i < t.length; i++) null !== t[i].getAttribute("data-src") && (t[i].setAttribute("src", t[i].getAttribute("data-src")), delete t[i].dataset.src);
var e = document.getElementsByTagName("link");
for (i = 0; i < e.length; i++) null !== e[i].getAttribute("data-href") && (e[i].setAttribute("href", e[i].getAttribute("data-href")), delete e[i].dataset.href);
setTimeout(function() {
document.dispatchEvent(new CustomEvent("StartAsyncLoading")), document.dispatchEvent(new CustomEvent("StartKernelLoading"))
}, 400)
}
}
var activityEvents = ["mousedown", "mousemove", "keydown", "scroll", "touchstart", "click", "keypress", "touchmove"];
activityEvents.forEach(function(t) {
window.addEventListener(t, loadJSscriptsNow, !1)
}), document.addEventListener("load", loadJSscripts, !1), document.addEventListener("onload", loadJSscripts, !1), null != window.addEventListener ? window.addEventListener("load", loadJSscripts, !1) : null != window.attachEvent ? window.attachEvent("onload", loadJSscripts) : window.onload = loadJSscripts;
}
This appears to be a scam.
Searching for that code, I can find similar code here and here.
The code is intentionally difficult to read, but the idea appears to be that when it detects that page speed is being measured (seemingly by checking the User-Agent string), it loads an empty page; which will obviously be faster. I'm not sure what it's doing with script and link tags, so this variant might be a little different, but that's what they're reporting on Shopify.
I would be extremely suspicious based on that first line alone though. Any time you have strings with information that's encoded oddly embedded in the string, there's the potential that it's being used to hide information. Here, they appear to be trying to hide the fact that they're checking the user-agent string for 'Chrome-Lighthouse' ('\x43\x68\x72\x6F\x6D\x65\x2D\x4C\x69\x67\x68\x74\x68\x6F\x75\x73\x65'), but it could have also been code that stole session cookies, or replaced links on pages to point to malicious sites. Be very cautious of code that appears to be evading human or other static detection.