Shopper Approved

Shopper Approved is a United States-based technology company that operates as a provider of customer review widgets for e-commerce websites. Its core service involves supplying embedded JavaScript components that allow online retailers to display verified customer reviews and ratings directly on their product pages. These widgets serve as a trust-building tool for consumers, leveraging social proof to influence purchasing decisions. The company's market is primarily the global e-commerce sector, with its services integrated into the web properties of various online merchants. By aggregating and presenting customer feedback, Shopper Approved positions itself within the customer experience and conversion optimization space. The functionality of its widgets requires them to be embedded directly into the HTML of client sites, granting the provider a degree of script execution capability on those external domains. This technical integration is fundamental to its business model but also introduces a specific supply chain risk profile for its customers.

The company's operational history includes a significant security incident in September 2018 that defines its public cybersecurity profile. During this event, threat actors associated with the Magecart group compromised Shopper Approved's infrastructure and injected malicious code into a legitimate JavaScript file served to its clients. This skimmer was designed to stealthily harvest payment form data, such as credit card details, from checkout pages where the widget was present and transmit it to a remote attacker-controlled server. The attack's deployment was conditional, activating only on pages with specific URL keywords, which inadvertently limited its scope because most of Shopper Approved's clients did not embed the review widget on their payment pages. The breach was detected early after the attackers briefly exposed an unobfuscated version of the malicious script, allowing security researchers to analyze it and identify infrastructure links to a previous Magecart campaign targeting another widget provider. Upon discovery, Shopper Approved swiftly removed the malicious script from its systems and initiated notifications to affected customers. This incident underscores the critical risk posed by third-party JavaScript providers in the e-commerce ecosystem, where a single compromised component can facilitate widespread data theft across numerous downstream merchant sites. The event remains a referenced case study in supply chain attacks targeting the payment card data of online shoppers.