Header Bidding and Malware

[headerbidding]

I am having malvertising issues and just found this through a google search:

"Actually with header bidding each ad network can in theory execute any javascript they want even before they win or if they don't win at all. This is because most header bidding adapters execute at least some javascript from the ad network. See pulsepoint for example:

Prebid.js/src/adapters/pulsepoint.js

Line 12 in fd7ae19

adloader.loadScript(getJsStaticUrl, function () { bid(params); }, true);

It will always load and execute tag-st.contextweb.com/getjs.static.js no matter if they even bid. This javascript can then do a simple redirect of the top page."

Is this true?

From: https://www.reddit.com/r/adops/comments/6gimey/header_bidding_full_of_malware/

[Deimos01]

External JS or libs from SSPs are not the source of redirects. Redirects are coming from the winning ads rendered on the page.
Some sneaky JS codes are hidden in the creatives and unfortunately there is no magic solution to avoid them. You should take a look to this long issue.

[headerbidding]

Thank you. This is good information! I have raised the bid floor to $1.00 for all bidders. I hope this will keep the bad guys away.

[mkendall07]

as of prebid 1.x, the referenced behavior (loading external JS by bidders) is not allowed.

[headerbidding]

Thank you. That's good to know!