Suspicious script within HTML elements

Hello,

we have spotted some tracking tool but can't find proper source of it. The tracking script appears when HTML Elements plugin is enabled. When Confluence was in a safe mode, the script is not visible, and when HTML Elements are enabled, it pops up again.

The suspicious javascript files are coming from several sources like http://a.adroll.com/j/roundtrip.js, or s.adroll.com/j/pre/4AZEHCGDXVAQJODIXAIH7Z/YB3U65ETPVB2PGJUSNWDAN/index.js and many variations, coming typically from *.adroll.com, the web is on the mozilla list of suspicious pages.

What is strange that it is not fully hidden as typical malicious script, but it shows the content as: "NextRoll, Inc. ("NextRoll") and our advertising partners use cookies ...", so it looks as some addon that is using that. However, this is a private business wiki instance and we don't want to have such a tracking tool. So, it is possible that is part of some installed addon.

Very recently we did have a migration to a better server and I was able to check situation there, 2 weeks ago we didn't have this javascript.

Checking out the database, I couldn't find anything related to string "adroll", it is not there, at least not as a plain text.

The same is on file system, I checked the server and couldn't find adroll in a plain text (except in the cached sites, I will send another example how does it look like in the cache)

However, I'm not sure if some of the users included somewhere in the wiki such a sources, quite possible this is not a bug, but some mistake from our side.

If you can help us tracing the requests it would be great. In the attachment are: - log file created by confluence - 2 pictures showing the source of the script within firefox developer tools - 1 pictures showing the warning in the frontend (wiki01.png).

Quite possible it is not real malware, as it wouldn't show it self in the frontend with the icon.

Best regards, Franko I. Sonnen Gmbh