From b2db8bb910d78d10cc8584bd8d59284789363ba2 Mon Sep 17 00:00:00 2001
From: Danny Shmueli <dannyshmueli@gmail.com>
Date: Sat, 21 Feb 2026 22:35:09 +0200
Subject: [PATCH] Fix tracker: hasOwnProperty guard, hash idiom, deprecated
 substr

- Add hasOwnProperty checks to for..in loops in baseProps() to prevent
  picking up extended Object.prototype properties from third-party scripts
- Replace non-standard `hash & hash` with idiomatic `hash |= 0` for
  32-bit integer coercion in experiment bucketing
- Replace deprecated substr(2, 9) with slice(2, 11) in ID generation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 src/tracker.js     |  2 +-
 src/tracker.src.js | 10 +++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/tracker.js b/src/tracker.js
index 824519c..e3c5104 100644
--- a/src/tracker.js
+++ b/src/tracker.js
@@ -1,2 +1,2 @@
 // AUTO-GENERATED — edit tracker.src.js instead
-export const TRACKER_JS = `(function(){"use strict";var i=document.currentScript,g=i&&i.src?new URL(i.src).origin+"/track":"/track",T=i&&i.dataset.project||"default",p=i&&i.dataset.token||null,x=i&&i.getAttribute("data-link-domains")||null,s=null;x&&(s=x.split(",").map(function(e){return e.trim().toLowerCase()}));function M(e){if(!s||e===location.hostname)return!1;for(var t=0;t<s.length;t++){var r=s[t];if(e===r||e.endsWith("."+r))return!0}return!1}function U(){if(!s)return null;var e=new URLSearchParams(location.search),t=e.get("_aa");if(t){localStorage.setItem("aa_uid",t),e.delete("_aa");var r=location.pathname+(e.toString()?"?"+e.toString():"")+location.hash;return history.replaceState(null,"",r),t}return null}function N(){var e=U()||localStorage.getItem("aa_uid");return e||(e="anon_"+Math.random().toString(36).substr(2,9)+Date.now().toString(36),localStorage.setItem("aa_uid",e)),e}var f=N();s&&document.addEventListener("click",function(e){var t=e.target.closest?e.target.closest("a"):null;if(!(!t||!t.href))try{var r=new URL(t.href);M(r.hostname)&&(r.searchParams.set("_aa",f),t.href=r.toString())}catch(a){}});var D=1800*1e3;function R(){var e=Date.now(),t=parseInt(sessionStorage.getItem("aa_last_activity")||"0",10),r=sessionStorage.getItem("aa_sid");return(!r||t&&e-t>D)&&(r="sess_"+Math.random().toString(36).substr(2,9)+e.toString(36),sessionStorage.setItem("aa_sid",r)),sessionStorage.setItem("aa_last_activity",String(e)),r}function E(){for(var e=new URLSearchParams(location.search),t={},r=["utm_source","utm_medium","utm_campaign","utm_content","utm_term"],a=0;a<r.length;a++){var n=e.get(r[a]);n&&(t[r[a]]=n)}return t}var S=E();function F(e){var t="Unknown",r="",a="Unknown",n;return(n=e.match(/(Edge|Edg)\\/([\\d.]+)/))?(t="Edge",r=n[2]):(n=e.match(/OPR\\/([\\d.]+)/))?(t="Opera",r=n[1]):(n=e.match(/Chrome\\/([\\d.]+)/))?(t="Chrome",r=n[1]):(n=e.match(/Safari\\/([\\d.]+)/))?(n=e.match(/Version\\/([\\d.]+)/))&&(t="Safari",r=n[1]):(n=e.match(/Firefox\\/([\\d.]+)/))&&(t="Firefox",r=n[1]),/iPhone|iPad|iPod/.test(e)?a="iOS":/Windows/.test(e)?a="Windows":/Android/.test(e)?a="Android":/CrOS/.test(e)?a="ChromeOS":/Mac OS X/.test(e)?a="macOS":/Linux/.test(e)&&(a="Linux"),{browser:t,browser_version:r.split(".")[0],os:a}}var d=navigator.userAgent||"",c=F(d);function B(){var e=screen.width;return/Tablet|iPad/i.test(d)||e>=768&&e<1024&&!/Mobi/i.test(d)?"tablet":/Mobi/i.test(d)||e<768?"mobile":"desktop"}c.device=B();var b=[],w=null,J=5e3;function L(e,t){navigator.sendBeacon&&navigator.sendBeacon(e,new Blob([t],{type:"text/plain"}))||fetch(e,{method:"POST",body:t,keepalive:!0,credentials:"omit"}).catch(function(){})}function _(){if(b.length){var e=b.splice(0);e.length===1?L(g,JSON.stringify(e[0])):L(g.replace("/track","/track/batch"),JSON.stringify({events:e}))}}function W(){w||(w=setTimeout(function(){w=null,_()},J))}document.addEventListener("visibilitychange",function(){document.visibilityState==="hidden"&&_()}),window.addEventListener("beforeunload",_);function q(e){var t={url:location.href,path:location.pathname,hostname:location.hostname,referrer:document.referrer,title:document.title,screen:screen.width+"x"+screen.height,language:navigator.language||"",browser:c.browser,browser_version:c.browser_version,os:c.os,device:c.device};for(var r in S)t[r]=S[r];if(e)for(var a in e)t[a]=e[a];return t}var y={},l=null,u={track:function(e,t){b.push({project:T,token:p,event:e,properties:q(t),user_id:f,session_id:R(),timestamp:Date.now()}),W()},identify:function(e){f=e,localStorage.setItem("aa_uid",e)},page:function(e){this.track("page_view",{page:e||document.title})},experiment:function(e,t){if(y[e]!==void 0)return y[e];var r=null;if(l){for(var a=0;a<l.length;a++)if(l[a].key===e){r=l[a];break}}if(!r&&t){var n=Math.floor(100/t.length),v=100-n*t.length;r={key:e,variants:t.map(function(K,V){return{key:K,weight:n+(V===0?v:0)}})}}if(!r)return null;for(var A=e+"."+f,o=0,I=0;I<A.length;I++)o=(o<<5)-o+A.charCodeAt(I),o=o&o;for(var H=Math.abs(o)%100,C=0,h=r.variants[0].key,m=0;m<r.variants.length;m++)if(C+=r.variants[m].weight,H<C){h=r.variants[m].key;break}return y[e]=h,u.track("$experiment_exposure",{experiment:e,variant:h}),h}};function k(){for(var e=document.querySelectorAll("[data-aa-experiment]"),t=0;t<e.length;t++){var r=e[t],a=r.getAttribute("data-aa-experiment"),n=u.experiment(a);if(n){var v=r.getAttribute("data-aa-variant-"+n.toLowerCase());v!==null&&(r.innerHTML=v)}}document.documentElement.classList.remove("aa-loading")}(function(){if(!p){k();return}var t=g.replace("/track","/experiments/config")+"?token="+p;fetch(t,{credentials:"omit"}).then(function(r){return r.json()}).then(function(r){l=r.experiments||[],k()}).catch(function(){k()})})();var O=location.pathname+location.search;function P(){var e=location.pathname+location.search;e!==O&&(O=e,S=E(),u.page())}window.addEventListener("popstate",P),["pushState","replaceState"].forEach(function(e){var t=history[e];history[e]=function(){var r=t.apply(this,arguments);return P(),r}}),u.page(),window.aa=u})();`;
+export const TRACKER_JS = `(function(){"use strict";var i=document.currentScript,p=i&&i.src?new URL(i.src).origin+"/track":"/track",T=i&&i.dataset.project||"default",S=i&&i.dataset.token||null,O=i&&i.getAttribute("data-link-domains")||null,o=null;O&&(o=O.split(",").map(function(e){return e.trim().toLowerCase()}));function M(e){if(!o||e===location.hostname)return!1;for(var t=0;t<o.length;t++){var r=o[t];if(e===r||e.endsWith("."+r))return!0}return!1}function U(){if(!o)return null;var e=new URLSearchParams(location.search),t=e.get("_aa");if(t){localStorage.setItem("aa_uid",t),e.delete("_aa");var r=location.pathname+(e.toString()?"?"+e.toString():"")+location.hash;return history.replaceState(null,"",r),t}return null}function N(){var e=U()||localStorage.getItem("aa_uid");return e||(e="anon_"+Math.random().toString(36).slice(2,11)+Date.now().toString(36),localStorage.setItem("aa_uid",e)),e}var f=N();o&&document.addEventListener("click",function(e){var t=e.target.closest?e.target.closest("a"):null;if(!(!t||!t.href))try{var r=new URL(t.href);M(r.hostname)&&(r.searchParams.set("_aa",f),t.href=r.toString())}catch(n){}});var D=1800*1e3;function R(){var e=Date.now(),t=parseInt(sessionStorage.getItem("aa_last_activity")||"0",10),r=sessionStorage.getItem("aa_sid");return(!r||t&&e-t>D)&&(r="sess_"+Math.random().toString(36).slice(2,11)+e.toString(36),sessionStorage.setItem("aa_sid",r)),sessionStorage.setItem("aa_last_activity",String(e)),r}function E(){for(var e=new URLSearchParams(location.search),t={},r=["utm_source","utm_medium","utm_campaign","utm_content","utm_term"],n=0;n<r.length;n++){var a=e.get(r[n]);a&&(t[r[n]]=a)}return t}var d=E();function F(e){var t="Unknown",r="",n="Unknown",a;return(a=e.match(/(Edge|Edg)\\/([\\d.]+)/))?(t="Edge",r=a[2]):(a=e.match(/OPR\\/([\\d.]+)/))?(t="Opera",r=a[1]):(a=e.match(/Chrome\\/([\\d.]+)/))?(t="Chrome",r=a[1]):(a=e.match(/Safari\\/([\\d.]+)/))?(a=e.match(/Version\\/([\\d.]+)/))&&(t="Safari",r=a[1]):(a=e.match(/Firefox\\/([\\d.]+)/))&&(t="Firefox",r=a[1]),/iPhone|iPad|iPod/.test(e)?n="iOS":/Windows/.test(e)?n="Windows":/Android/.test(e)?n="Android":/CrOS/.test(e)?n="ChromeOS":/Mac OS X/.test(e)?n="macOS":/Linux/.test(e)&&(n="Linux"),{browser:t,browser_version:r.split(".")[0],os:n}}var v=navigator.userAgent||"",s=F(v);function B(){var e=screen.width;return/Tablet|iPad/i.test(v)||e>=768&&e<1024&&!/Mobi/i.test(v)?"tablet":/Mobi/i.test(v)||e<768?"mobile":"desktop"}s.device=B();var w=[],_=null,J=5e3;function L(e,t){navigator.sendBeacon&&navigator.sendBeacon(e,new Blob([t],{type:"text/plain"}))||fetch(e,{method:"POST",body:t,keepalive:!0,credentials:"omit"}).catch(function(){})}function b(){if(w.length){var e=w.splice(0);e.length===1?L(p,JSON.stringify(e[0])):L(p.replace("/track","/track/batch"),JSON.stringify({events:e}))}}function W(){_||(_=setTimeout(function(){_=null,b()},J))}document.addEventListener("visibilitychange",function(){document.visibilityState==="hidden"&&b()}),window.addEventListener("beforeunload",b);function q(e){var t={url:location.href,path:location.pathname,hostname:location.hostname,referrer:document.referrer,title:document.title,screen:screen.width+"x"+screen.height,language:navigator.language||"",browser:s.browser,browser_version:s.browser_version,os:s.os,device:s.device};for(var r in d)d.hasOwnProperty(r)&&(t[r]=d[r]);if(e)for(var n in e)e.hasOwnProperty(n)&&(t[n]=e[n]);return t}var y={},c=null,l={track:function(e,t){w.push({project:T,token:S,event:e,properties:q(t),user_id:f,session_id:R(),timestamp:Date.now()}),W()},identify:function(e){f=e,localStorage.setItem("aa_uid",e)},page:function(e){this.track("page_view",{page:e||document.title})},experiment:function(e,t){if(y[e]!==void 0)return y[e];var r=null;if(c){for(var n=0;n<c.length;n++)if(c[n].key===e){r=c[n];break}}if(!r&&t){var a=Math.floor(100/t.length),h=100-a*t.length;r={key:e,variants:t.map(function(K,V){return{key:K,weight:a+(V===0?h:0)}})}}if(!r)return null;for(var A=e+"."+f,u=0,I=0;I<A.length;I++)u=(u<<5)-u+A.charCodeAt(I),u|=0;for(var H=Math.abs(u)%100,C=0,m=r.variants[0].key,g=0;g<r.variants.length;g++)if(C+=r.variants[g].weight,H<C){m=r.variants[g].key;break}return y[e]=m,l.track("$experiment_exposure",{experiment:e,variant:m}),m}};function k(){for(var e=document.querySelectorAll("[data-aa-experiment]"),t=0;t<e.length;t++){var r=e[t],n=r.getAttribute("data-aa-experiment"),a=l.experiment(n);if(a){var h=r.getAttribute("data-aa-variant-"+a.toLowerCase());h!==null&&(r.innerHTML=h)}}document.documentElement.classList.remove("aa-loading")}(function(){if(!S){k();return}var t=p.replace("/track","/experiments/config")+"?token="+S;fetch(t,{credentials:"omit"}).then(function(r){return r.json()}).then(function(r){c=r.experiments||[],k()}).catch(function(){k()})})();var x=location.pathname+location.search;function P(){var e=location.pathname+location.search;e!==x&&(x=e,d=E(),l.page())}window.addEventListener("popstate",P),["pushState","replaceState"].forEach(function(e){var t=history[e];history[e]=function(){var r=t.apply(this,arguments);return P(),r}}),l.page(),window.aa=l})();`;
diff --git a/src/tracker.src.js b/src/tracker.src.js
index e2177ed..36fd00d 100644
--- a/src/tracker.src.js
+++ b/src/tracker.src.js
@@ -43,7 +43,7 @@
   function getAnonId() {
     var id = adoptCrossSubdomainId() || localStorage.getItem('aa_uid');
     if (!id) {
-      id = 'anon_' + Math.random().toString(36).substr(2, 9) + Date.now().toString(36);
+      id = 'anon_' + Math.random().toString(36).slice(2, 11) + Date.now().toString(36);
       localStorage.setItem('aa_uid', id);
     }
     return id;
@@ -72,7 +72,7 @@
     var lastActivity = parseInt(sessionStorage.getItem('aa_last_activity') || '0', 10);
     var sid = sessionStorage.getItem('aa_sid');
     if (!sid || (lastActivity && (now - lastActivity) > SESSION_TIMEOUT)) {
-      sid = 'sess_' + Math.random().toString(36).substr(2, 9) + now.toString(36);
+      sid = 'sess_' + Math.random().toString(36).slice(2, 11) + now.toString(36);
       sessionStorage.setItem('aa_sid', sid);
     }
     sessionStorage.setItem('aa_last_activity', String(now));
@@ -177,9 +177,9 @@
       device: dev.device
     };
     // Merge UTM
-    for (var k in utm) p[k] = utm[k];
+    for (var k in utm) { if (utm.hasOwnProperty(k)) p[k] = utm[k]; }
     // Merge extra
-    if (extra) for (var k2 in extra) p[k2] = extra[k2];
+    if (extra) for (var k2 in extra) { if (extra.hasOwnProperty(k2)) p[k2] = extra[k2]; }
     return p;
   }
 
@@ -232,7 +232,7 @@
       var hash = 0;
       for (var j = 0; j < str.length; j++) {
         hash = ((hash << 5) - hash) + str.charCodeAt(j);
-        hash = hash & hash;
+        hash |= 0;
       }
       var bucket = Math.abs(hash) % 100;