Kaspersky's main.js script is designed to display green checkmarks if it thinks the link leads to a clean website. However, its injection into the local HTML source code of users could have opened them to tracking. As scripts on a third-party website can access the complete HTML source at any point, they could have also accessed Kaspersky's unique tracking ID.
As a result, it would be trivial for companies with multiple sites to track users across the web. As it was present on every browser, they could do so across multiple applications and even if cookies were deleted. Even incognito mode would not be enough to stop the tracking.
Assumedly, those using a VPN would also be able to be identified. Visting a website with the IP address of a VPN provider, followed by a true IP address, would link the two via the Kaspersky ID. Thankfully, the behavior was not present in the Tor browser.
Whether or not any websites made use of this flaw is unknown. Kaspersky was quick to fix the issue once prompted but played down the chance of exploitation.
“Such an attack is too complex and not profitable for cybercriminals, and therefore unlikely to happen,” it told Eikenberg.
Its June solution, Patch F, changes the ID to match only to the user's specific Kaspersky edition. This is less privacy intrusive but could give hackers valuable information about whether a user's protection is outdated.