Last week I ran a free Lighthouse audit on leafpad.io and got a Best Practices score of 54. I dug in expecting to find a misconfigured setting. What I actually found was a third-party tracking script I never installed, quietly syncing cookies to an ad network on every page visit.
This post walks through exactly how I found it, how I removed it, and how you can run the same check on your own site in under 20 minutes for free.
What Is Google Lighthouse and Why Does the Best Practices Score Matter?
Lighthouse is a free auditing tool built into Chrome DevTools. It scores your site across Performance, Accessibility, Best Practices, and SEO. A low Best Practices score signals problems that affect user trust, security, and indirectly your Google rankings since third-party scripts slow page load and drag down your Performance score too.
A score of 54 is not a yellow warning. It is a red flag.
Step 1: Run a Lighthouse Audit on Your Site
Open your website in Chrome. Press F12 to open DevTools, click the Lighthouse tab, and hit Analyze Page Load. You will get a full report in about 30 seconds.
My report flagged two issues under Best Practices:
Uses third-party cookies with 10 cookies found
Uses deprecated APIs with 1 warning from Facebook's AttributionReporting
Ten cookies. I was expecting three from the Meta Pixel we set up. Ten was a problem.
Step 2: Identify Which Third-Party Cookies You Did Not Add
Expanding the "third-party cookies" section in the Lighthouse report lists every cookie and its source domain. Most of mine were from Facebook, which was expected. Two were not:
bitoandbitoIsSecurefrom match.prod.bidr.io (Beeswax, a programmatic ad DSP)tuidfrom a.usbrowserspeed.com (a known fingerprinting and ad-tracking domain)
I had never added either of these. Something else on my site was pulling them in.
Step 3: Trace the Initiator Chain in Chrome DevTools
Switch to the Network tab in DevTools. Filter requests by the suspicious domain (I searched for bidr.io). Click the request, then open the Initiator tab. You will see a "Request initiator chain" showing the parent script that triggered it.
Mine showed:
https://tag.trovo-tag.com/wr9G8jlBZ5Igm16h?rurl=https://leafpad.io/...
└── https://match.prod.bidr.io/cookie-sync/fivebyfiveA script from tag.trovo-tag.com was loading on my site and immediately calling Beeswax for a cookie sync. I had never heard of Trovo. I certainly had not added it.
Step 4: Search Your Codebase for the Unknown Script
In VSCode, press Ctrl+Shift+F (or Cmd+Shift+F on Mac) to search across your entire project. Search for the tag ID from the initiator URL.
I found it immediately, sitting in my <head>:
<Script
id="vtag-ai-js"
async
src="https://r2.leadsy.ai/tag.js"
data-pid="wr9G8jlBZ5Igm16h"
data-version="062024"
strategy="afterInteractive"
/>This is Leadsy.ai, a visitor de-anonymization tool used for B2B lead generation. The tag ID matched the Trovo URL exactly, confirming it as the source of the entire cookie chain.
I have never signed up for Leadsy. I have never added this script. It was just sitting there.
How Does Unknown Tracking Code End Up on Your Website?
The most common cause is a compromised or deceptive npm package. A package you installed months ago for some unrelated purpose injects third-party marketing scripts into your build. You deploy, move on, and it runs indefinitely without you knowing.
To trace exactly when it was introduced, run this in your terminal:
git log -S "your-tag-id-here" --allThis shows the exact commit that added the code and who made it, which helps you trace it back to the responsible package or person.
How to Remove the Unknown Tracking Script
Delete the script block from your codebase. Deploy. Re-run the Lighthouse audit.
After removing Leadsy, the Beeswax and usbrowserspeed cookies were completely gone. The only remaining third-party cookies were from the Meta Pixel, which is expected. Best Practices score jumped in a single deploy.
Why You Should Run This Check Quarterly
Third-party scripts are one of the most overlooked performance and security risks in web development. They slow your page load, which hurts your Google rankings. They set cookies without user consent, which is a compliance issue if you have EU traffic. And they signal to technical users who inspect your network traffic that something is off.
The scarier thing: most site owners have no idea this is happening. Packages pull in packages. Tags call other tags. It compounds quietly over time.
The Lighthouse audit is free and takes 60 seconds. The DevTools trace takes 5 minutes. Running this check once a quarter is worth it.
Quick Step-by-Step Checklist
Open Chrome DevTools (F12) and go to the Lighthouse tab
Run an audit and check your Best Practices score
Expand "Uses third-party cookies" and look for unrecognized domains
Go to the Network tab, filter by the suspicious domain, and open the Initiator tab
Copy the tag ID from the initiator chain URL
Search your codebase with Ctrl+Shift+F for that tag ID
Delete the script block and deploy
Run
git log -S "tag-id" --allto trace how it got thereRe-run Lighthouse to confirm the cookies are gone
No paid tools. No signup. If your site has unknown tracking scripts running, this is how you find them.
Published with LeafPad