This work presents Unbundle-Rewrite-Rebundle (URR), a system for detecting privacy-harming portions of bundled JavaScript code, and rewriting that code at runtime to remove the privacy harming behavior without breaking the surrounding code or overall application. URR is a novel solution to the problem of JavaScript bundles, where websites pre-compile multiple code units into a single file, making it impossible for content filters and ad-blockers to differentiate between desired and unwanted resources. Where traditional content filtering tools rely on URLs, URR analyzes the code at the AST level, and replaces harmful AST sub-trees with privacy-and-functionality maintaining alternatives. We present an open-sourced implementation of URR as a Firefox extension, and evaluate it against JavaScript bundles generated by the most popular bundling system (Webpack) deployed on the Tranco 10k. We measure the performance, measured by precision (1.00), recall (0.95), and speed (0.43s per-script) when detecting and rewriting three representative privacy harming libraries often included in JavaScript bundles, and find URR to be an effective approach to a large-and-growing blind spot unaddressed by current privacy tools.

翻译：本文提出解包-重写-重打包（URR）系统，用于检测打包JavaScript代码中的隐私侵犯部分，并在运行时对其重写以消除隐私侵犯行为，同时保持周围代码和整体应用的完整性。URR是针对JavaScript包问题的新颖解决方案，网站将多个代码单元预编译为单个文件，使得内容过滤器和广告拦截器无法区分所需资源和有害资源。传统内容过滤工具依赖URL进行识别，而URR在抽象语法树（AST）层面分析代码，用既保护隐私又保持功能性的替代方案替换有害的AST子树。我们以Firefox扩展的形式开源实现了URR，并针对Tranco 10k上最流行的打包系统（Webpack）生成的JavaScript包进行评估。通过检测和重写JavaScript包中常见的三种代表性隐私侵犯库，我们测量了系统性能：精确率（1.00）、召回率（0.95）和速度（0.43秒/脚本），结果表明URR是解决当前隐私工具未涉及且日益扩大的盲区的有效方法。