← Back to blog Affiliate Fraud

How to detect invisible iframe cookie stuffing

Block hidden iframes

Identify when publishers hide tracking links in 1x1 pixels elements to force automatic browser cookie drops.

Try SEATEXT AI for free

Affiliate marketing relies on referral attribution. While simple in theory, tracking networks are highly vulnerable to background script abuse, particularly **invisible iframe cookie stuffing**.

By embedding hidden 1x1 pixels frame elements on their websites, rogue publishers load your store tracking links invisibly in the background. The customer's browser drops your tracking cookie without their knowledge, allowing the publisher to capture commissions on organic sales. Let's look at how to detect this tactic.

How invisible iframes stuff cookies

The iframe element is standard HTML used to embed sub-documents. However, it is easily abused for background requests:

  • A user visits a rogue publisher's site (such as a coupon aggregator or download portal).
  • The page HTML contains a hidden element: ``.
  • The user's browser parses the tag and calls the source link. The affiliate network registers a click and drops the tracking cookie on the user's device.
  • When that user later visits your store organically and completes a purchase, the publisher captures the commission.

This captures attribution on organic conversions without providing any marketing value.

Technical methods for detecting iframe stuffing

To secure your site margins, deploy these frontend browser checks:

  1. HTTP Referrer Logs: If an affiliate click registers but the referrer header points to your own site structure—or a domain that does not match the publisher's approved URL—they are likely using hidden iframes to route requests.
  2. Content Security Policy (CSP) Headers: Implement CSP rules (`frame-ancestors 'none'`) to prevent unauthorized sites from loading your store pages inside frames.
  3. DOM Frame Auditing: Track if your checkout tracking scripts execute inside a sub-frame context (`window.self !== window.top`), flagging nested frame instances.

How BotRefund blocks iframe stuffing

BotRefund runs active security auditing on your landing and checkout pages. It monitors frame nesting states, referrer transitions, and user pointer presence in real-time.

If the platform logs a conversion referral where the affiliate link was loaded inside a nested sub-frame context without a corresponding physical user click event, it flags the transaction as an override, allowing you to reject the invoice.

Frequently Asked Questions

What is iframe cookie stuffing?

It is an ad fraud method where a publisher loads a merchant's tracking link inside a hidden 1x1 pixel iframe to silently drop cookies on visitors' devices.

Why does a CSP prevent iframe abuse?

A Content Security Policy tells the user's browser which sites are allowed to embed your pages, preventing unauthorized domains from loading your store inside hidden frames.

Can I decline payouts for iframe-referred conversions?

Yes. Affiliate networks ban automated iframe loading, giving merchants the legal right to withhold payouts when presented with frame nesting logs.

Regain control of your referral logs

Stop paying for automated background redirects. Install SEATEXT AI today to track frame activities, audit referrer transitions, and secure your checkout attribution.

Try SEATEXT AI for free