Category: Data Theft & Leakage
Formjacking (web skimming) in the browser
Formjacking (web skimming) is when attackers inject JavaScript into a site to steal data entered into forms—commonly payment or login details.
Quick answer
Victims trust the real site, but the attacker quietly siphons data in the background, often for long periods before discovery.
For compromised sites and data theft patterns, isolation separates untrusted web content from the endpoint and supports stricter controls around high-risk browsing.
When you need this
- You’ve seen indicators of this threat in your environment.
- Users frequently click unknown links as part of daily work.
- You need a control that reduces risk without relying on perfect user judgment.
Last updated
2026-01-29
How it usually happens in the browser
- Attackers compromise a website or a third-party script used by that site (analytics, chat widgets, ads).
- Injected JavaScript listens for form submissions and copies field values.
- Stolen data is exfiltrated to attacker-controlled endpoints.
- Because the checkout/login still works, the compromise can remain unnoticed.
What traditional defenses miss
- The affected site is legitimate; users and filters don’t treat it as suspicious.
- Third-party script supply chains are difficult to monitor continuously.
- The attacker’s exfiltration can be low-volume and blend with normal traffic.
How isolation changes the game
- Isolation can reduce endpoint exposure and add policy controls around risky browsing, but formjacking is primarily a site/operator security issue.
- For enterprises, isolating unknown destinations reduces exposure to malicious scripts and third-party tag abuse on untrusted sites.
- Session deletion limits residual state and reduces long-lived tracking artifacts from risky browsing.
Operational checklist
- For your own apps: inventory third-party scripts, use subresource integrity (SRI) where possible, and monitor changes.
- Use CSP to limit where scripts can load from; restrict inline scripts.
- For corporate browsing: isolate unknown sites and high-risk categories to reduce exposure to compromised content.
- Watch for anomalous outbound requests from pages that shouldn’t be exfiltrating data.
- Educate users: avoid entering payment details on unfamiliar or low-trust sites; prefer known official domains.
FAQs
Is formjacking a browser vulnerability?
Not necessarily. It’s often a compromise of the website or its third-party scripts. The browser executes the injected script as designed.
How is it detected?
Through script integrity monitoring, anomaly detection in network requests, and incident response when stolen card/credential activity is observed.
Does isolating browsing stop formjacking?
Isolation reduces endpoint risk and can contain untrusted browsing, but it doesn’t “fix” a compromised site. It’s one layer in a broader security posture.
What’s a common sign of compromise?
Unexpected third-party script changes, new external endpoints receiving form data, or unusually high fraud/chargeback rates.
References
- Google Safe Browsing — Google
- Cloudflare: Browser Isolation — Cloudflare