Your Website Is Probably Running Tracking Code You Never Installed

A free Lighthouse audit revealed unknown third-party tracking scripts running on our site and tanking our Best Practices score. Here is how to find and remove them in under 20 minutes.


Your Website Is Probably Running Tracking Code You Never Installed

Last week I ran a free Lighthouse audit on leafpad.io and got a Best Practices score of 54. I dug in expecting to find a misconfigured setting. What I actually found was a third-party tracking script I never installed, quietly syncing cookies to an ad network on every page visit.

This post walks through exactly how I found it, how I removed it, and how you can run the same check on your own site in under 20 minutes for free.

What Is Google Lighthouse and Why Does the Best Practices Score Matter?

Lighthouse is a free auditing tool built into Chrome DevTools. It scores your site across Performance, Accessibility, Best Practices, and SEO. A low Best Practices score signals problems that affect user trust, security, and indirectly your Google rankings since third-party scripts slow page load and drag down your Performance score too.

A score of 54 is not a yellow warning. It is a red flag.

Step 1: Run a Lighthouse Audit on Your Site

Open your website in Chrome. Press F12 to open DevTools, click the Lighthouse tab, and hit Analyze Page Load. You will get a full report in about 30 seconds.

My report flagged two issues under Best Practices:

  • Uses third-party cookies with 10 cookies found

  • Uses deprecated APIs with 1 warning from Facebook's AttributionReporting

Ten cookies. I was expecting three from the Meta Pixel we set up. Ten was a problem.

Step 2: Identify Which Third-Party Cookies You Did Not Add

Expanding the "third-party cookies" section in the Lighthouse report lists every cookie and its source domain. Most of mine were from Facebook, which was expected. Two were not:

  • bito and bitoIsSecure from match.prod.bidr.io (Beeswax, a programmatic ad DSP)

  • tuid from a.usbrowserspeed.com (a known fingerprinting and ad-tracking domain)

I had never added either of these. Something else on my site was pulling them in.

Step 3: Trace the Initiator Chain in Chrome DevTools

Switch to the Network tab in DevTools. Filter requests by the suspicious domain (I searched for bidr.io). Click the request, then open the Initiator tab. You will see a "Request initiator chain" showing the parent script that triggered it.

Mine showed:

https://tag.trovo-tag.com/wr9G8jlBZ5Igm16h?rurl=https://leafpad.io/...
  └── https://match.prod.bidr.io/cookie-sync/fivebyfive

A script from tag.trovo-tag.com was loading on my site and immediately calling Beeswax for a cookie sync. I had never heard of Trovo. I certainly had not added it.

Step 4: Search Your Codebase for the Unknown Script

In VSCode, press Ctrl+Shift+F (or Cmd+Shift+F on Mac) to search across your entire project. Search for the tag ID from the initiator URL.

I found it immediately, sitting in my <head>:

<Script
  id="vtag-ai-js"
  async
  src="https://r2.leadsy.ai/tag.js"
  data-pid="wr9G8jlBZ5Igm16h"
  data-version="062024"
  strategy="afterInteractive"
/>

This is Leadsy.ai, a visitor de-anonymization tool used for B2B lead generation. The tag ID matched the Trovo URL exactly, confirming it as the source of the entire cookie chain.

I have never signed up for Leadsy. I have never added this script. It was just sitting there.

How Does Unknown Tracking Code End Up on Your Website?

The most common cause is a compromised or deceptive npm package. A package you installed months ago for some unrelated purpose injects third-party marketing scripts into your build. You deploy, move on, and it runs indefinitely without you knowing.

To trace exactly when it was introduced, run this in your terminal:

git log -S "your-tag-id-here" --all

This shows the exact commit that added the code and who made it, which helps you trace it back to the responsible package or person.

How to Remove the Unknown Tracking Script

Delete the script block from your codebase. Deploy. Re-run the Lighthouse audit.

After removing Leadsy, the Beeswax and usbrowserspeed cookies were completely gone. The only remaining third-party cookies were from the Meta Pixel, which is expected. Best Practices score jumped in a single deploy.

Why You Should Run This Check Quarterly

Third-party scripts are one of the most overlooked performance and security risks in web development. They slow your page load, which hurts your Google rankings. They set cookies without user consent, which is a compliance issue if you have EU traffic. And they signal to technical users who inspect your network traffic that something is off.

The scarier thing: most site owners have no idea this is happening. Packages pull in packages. Tags call other tags. It compounds quietly over time.

The Lighthouse audit is free and takes 60 seconds. The DevTools trace takes 5 minutes. Running this check once a quarter is worth it.

Quick Step-by-Step Checklist

  1. Open Chrome DevTools (F12) and go to the Lighthouse tab

  2. Run an audit and check your Best Practices score

  3. Expand "Uses third-party cookies" and look for unrecognized domains

  4. Go to the Network tab, filter by the suspicious domain, and open the Initiator tab

  5. Copy the tag ID from the initiator chain URL

  6. Search your codebase with Ctrl+Shift+F for that tag ID

  7. Delete the script block and deploy

  8. Run git log -S "tag-id" --all to trace how it got there

  9. Re-run Lighthouse to confirm the cookies are gone

No paid tools. No signup. If your site has unknown tracking scripts running, this is how you find them.

Published with LeafPad