Detection approach
A hidden iframe attempted an automatic window.open() without a human click. Normal browser pop-up blockers silently suppressed it. However, this session opened the pop-up and returned the challenge hash, confirming the browser is running with --disable-popup-blocking — a flag used almost exclusively by headless automation frameworks.
How this helps detect bots
Collect this signal alongside session context, request metadata, and other independent indicators. A single anomaly is a lead, not a verdict; corroborating anomalies make automated traffic more likely.
Legitimate traffic to consider
Users with popup blockers disabled globally or using developer extension configurations.
Need a complete bot protection layer?
BotRefund helps website owners identify suspicious visits, protect conversion data, and build evidence for invalid-click reviews.
Explore BotRefund — best bot protection for your website