I found this piece of code while viewing page source of a website.
ga('create', 'UA-XXXXXX-Y', 'domain-name', {'allowLinker': true});
"UA-XXXXXX-Y" is the google analytics tracking id. I read from a blog that this might be a potential vulnerability.
The blog states that:
As long as we have the Google Analytics Property ID, we can send data to ANY Google Analytics account we want.So if someone gets a hold of your Property ID and wants to corrupt your data with their data, it’s very easy to do so.
Is this a vulnerability? If yes what type of vulnerability is it (ex: Information Disclosure)? Can I report it as a vulnerability?
Any help is appreciated. Thanks in advance!
It is a normal situation, Analytics code is always viewable. You have to use filter in View, i.e. to avoid spam traffic or hits from other domains.