Pro Feature

Hidden iFrame Detection

Hidden iframes power ad fraud networks that cost advertisers billions of dollars annually — and they're one of the oldest tricks in the attacker's playbook. An iframe that's 1 pixel wide and 1 pixel tall is technically visible. Your browser renders it. The page loads. But you'll never see it, and that's exactly the point. They still work because browsers trust them by default.

What Hidden iFrames Does PhishClean Detect?

▣

Zero-Size iFrames

iframes with width or height of 0-2 pixels — too small to see, big enough to load malicious content. Often used for credential theft or ad fraud.

⬜

Off-Screen iFrames

iframes positioned outside the visible viewport using negative coordinates or placed far to the right or below the page. Functionally invisible but fully active.

⧉

CSS-Hidden iFrames

iframes hidden via display:none, visibility:hidden, or opacity:0. The content still loads and executes JavaScript even though you can't see it.

Why Are Hidden iFrames Dangerous?

On the surface, an iframe is just an embedded page inside another page. Browsers have used them for decades. But when an iframe is hidden, it becomes something else entirely — a way to do things on your behalf without your knowledge.

They can load a login page from another site and harvest credentials via clickjacking. The user thinks they're clicking a button on the visible page, but the click actually targets the invisible iframe underneath.
They can execute JavaScript in the context of another origin. If you're logged into your bank in another tab, a hidden iframe pointing to your bank's site may be able to interact with your session.
They're used for session riding — making authenticated requests to sites you're already logged into. No stolen passwords required. The attacker just piggybacks on your existing session cookies.
Ad fraud networks use hidden iframes to load ads you'll never see, generating fake impressions that cost advertisers billions of dollars annually.

The key distinction PhishClean makes: it only flags third-party hidden iframes. Same-domain iframes are normal and expected — analytics widgets, embedded components, lazy-loaded content. It's iframes from other domains that raise the red flag, because those are the ones that can do damage across origins.

How Does PhishClean Detect Hidden iFrames?

Scan every iframe on the page. On every page you visit, PhishClean finds all <iframe> elements in the DOM. This includes iframes added dynamically by scripts after the initial page load — not just the ones in the original HTML source.

Check if the source is third-party. For each iframe, PhishClean extracts the src attribute and compares the domain to the current page's domain. If it's the same domain, the iframe is skipped. If it's a different domain, it checks against the trusted domain whitelist (Google, Facebook, Stripe, Auth0, and 60+ others).

Inspect visibility. For third-party iframes that aren't on the trusted list, PhishClean inspects three things: the bounding rectangle size (is it smaller than 3x3 pixels?), the viewport position (is it positioned at negative coordinates or beyond the visible area?), and the computed CSS properties (display, visibility, opacity).

Fire the signal. If a third-party iframe is hidden, tiny, or off-screen, the HIDDEN_IFRAME signal fires and contributes to the page's overall risk score. Combined with other signals like secret leaks or formjacking indicators, this helps PhishClean build an accurate threat picture.

The Trusted Domain Filter

Not all hidden iframes are malicious. In fact, some of the most common iframes on the web are intentionally invisible.

Google Tag Manager loads in a hidden iframe. Stripe's payment processing uses an iframe you never see. Auth0's silent authentication flow uses a zero-size iframe to refresh tokens in the background. reCAPTCHA, Facebook's tracking pixel, HubSpot forms — they all use hidden iframes as part of their normal operation.

If PhishClean flagged all of these, you'd see alerts on nearly every page and the feature would be useless. That's why we maintain a curated list of 60+ trusted domains that are automatically excluded from detection. These are domains operated by well-known companies with legitimate reasons to use hidden iframes.

The list is maintained by the PhishClean team and updated with each extension release. If a trusted domain is compromised or starts serving malicious content, it gets removed. And if you encounter a domain that's being incorrectly flagged, you can add it to your personal whitelist in the extension settings.

Frequently Asked Questions

Will PhishClean flag Google Analytics or Stripe iframes?

No. PhishClean maintains a whitelist of 60+ trusted domains including Google Tag Manager, Google Analytics, Stripe, Auth0, reCAPTCHA, Facebook, and other widely-used services. Hidden iframes from these domains are automatically skipped. The detection only fires on third-party iframes from domains not on the trusted list — the ones that are actually suspicious.

Can I whitelist a domain that's being flagged?

Yes. If PhishClean flags a hidden iframe from a domain you trust — for example, an internal tool or a lesser-known payment provider — you can add that domain to your personal whitelist in the extension settings. Once whitelisted, hidden iframes from that domain will no longer trigger the HIDDEN_IFRAME signal. You can remove domains from the whitelist at any time if you change your mind.

Related Protection

Stop Invisible iFrames From Stealing Credentials

PhishClean detects hidden, tiny, and off-screen iframes on every page you visit — locally, in real time. 3-day free trial, no credit card required.

Install PhishClean