The Infamous 'Pop Under'

Origins and Evolution

When the web first opened its doors, advertisers chased visitors with flashy pop‑up windows that slammed over the page. Those early pop‑ups were designed to grab attention, but they also prompted users to install blockers and push back. The frustration pushed marketers to invent a more elusive cousin - pop‑unders. Instead of demanding focus, these windows slipped beneath the active tab, staying hidden until a new window was opened or the user switched focus. That stealth mode became a new playground for advertisers seeking higher click‑through rates.

By the late 1990s, pop‑up blockers had become a staple of most browsers. The blocking algorithms simply scanned for window.open calls that would immediately draw focus to a new frame. Since pop‑unders deliberately omitted the focus step, they slipped past those filters. Advertisers began exploiting the loophole, writing a small script that launched a secondary window while the original page stayed in the foreground.

Early pop‑under implementations were intentionally lightweight. A single line of JavaScript, often embedded in a banner or image link, would call window.open with a tiny viewport and omit any focus directive. The script would then set a short timer, usually 3‑5 seconds, before bringing the new window to the front. This delayed focus made it difficult for a browser’s pop‑up blocker to flag the action as a malicious pop‑up, since the call had already occurred when the blocker scanned for instant focus changes. The hidden window’s purpose was clear: display an offer, a coupon code, or a partner landing page.

Advertisers also refine their tactics, checking for the presence of certain cookies or user agents before deciding whether to fire a pop‑under. They often use a short delay before calling focus() to bring it to the foreground.

In the mid‑2000s, the technique gained traction, especially in affiliate marketing. Affiliates began bundling pop‑under links with other offers, capitalizing on the fact that many users could inadvertently click through to the hidden window without noticing. This surge pushed the practice to the edge of both legality and ethical acceptability.

Because pop‑unders slipped through many defenses, they often pushed the practice to the edge of legality. In some jurisdictions, ad publishers were found liable for violating deceptive advertising laws when pop‑unders tricked users into hidden offers. The debate intensified when pop‑unders started to be used to deliver malware or phishing pages that conceal their presence, reinforcing that regulatory bodies view pop‑unders as a significant risk to consumer protection.

Today, pop‑unders still exist, but their prevalence has been curtailed by tighter browser controls and more vigilant user awareness. Nonetheless, the lessons from their evolution remain relevant. Understanding how they were engineered - from simple JavaScript tricks to sophisticated conditional timing - provides insight into the broader tactics advertisers employ to evade detection. It also underlines the importance of continuous vigilance, both from developers building safer web experiences and from users who remain skeptical of sudden, hidden windows. The pop‑under story, from its mischievous beginnings to its current regulated form, serves as a reminder that the battle between innovation and user experience is ongoing.

Technical Mechanics

At the heart of a pop‑under is the window.open function. When a user clicks an element, the browser creates a new window object. The call accepts a target name, a URL, and a feature string that can set dimensions, toolbar visibility, and more. The third argument, often a comma‑separated list, controls how the new window behaves. For a pop‑under, developers usually leave the focus flag out or set it to false, telling the browser not to bring the new tab to the foreground immediately.

Because browsers don't let scripts explicitly dictate a window’s stacking order, the trick lies in timing. By opening the new window without immediately calling focus(), the browser keeps it in the background. Many scripts then wait a few hundred milliseconds before calling focus() to bring it to the foreground. Browsers now inspect the event stack; if the focus call occurs outside of the original event, the new tab remains behind. Developers can replicate this behaviour safely for legitimate pop‑ups by setting the window’s feature string to include 'noopener' and ensuring focus is applied only when the user interacts again.

The tech stack of a pop‑under often includes a small script that opens a window with minimal dimensions and then, after a short delay, calls focus() to bring it to the foreground. Browsers now inspect the event stack; if the focus call occurs outside the original event, the new tab remains behind. Developers can replicate this behaviour safely for legitimate pop‑ups by setting the window’s feature string to include 'noopener' and ensuring focus is applied only when the user interacts again.

Modern browsers now inspect the event stack; if the focus call occurs outside the original event, the new tab remains behind. Browsers now inspect the event stack; if the focus call occurs outside the original event, the new tab remains behind. Developers can replicate this behaviour safely for legitimate pop‑ups by setting the window’s feature string to include 'noopener' and ensuring focus is applied only when the user interacts again.

Because browsers now inspect the event stack; if the focus call occurs outside the original event, the new tab remains behind. Developers can replicate this behaviour safely for legitimate pop‑ups by setting the window’s feature string to include 'noopener' and ensuring focus is applied only when the user interacts again.

Modern browsers now inspect the event stack; if the focus call occurs outside the original event, the new tab remains behind. Developers can replicate this behaviour safely for legitimate pop‑ups by setting the window’s feature string to include 'noopener' and ensuring focus is applied only when the user interacts again.

In short, the mechanics of a pop‑under hinge on a combination of script timing, focus control, and browser policy. By exploiting the window.open API and deferring focus, marketers can slip ads into the background. However, as browsers evolve, the window.open call becomes increasingly bound to real user interaction, forcing the technique toward the edges of both legality and user acceptance. Understanding these mechanics helps developers write cleaner code and users recognize the subtle signs of covert advertising.

Impact on User Experience

When a pop‑under silently opens, it immediately adds another tab or window to the browser’s process list. Even a modestly sized HTML page consumes memory, and the more instances a page creates, the more pressure it places on the system. On older machines or shared devices, a handful of hidden tabs can push RAM usage past 400 MB, leading to sluggish scrolling, delayed page loads, and in extreme cases, browser crashes.

Beyond memory, the CPU must handle rendering, scripting, and network requests for each hidden tab. JavaScript timers, image loads, or background polling can keep the CPU busy even when the tab is not visible. Users often notice a gradual decline in responsiveness, especially when multitasking with other applications. In the worst scenarios, a site that spawns dozens of pop‑unders can cause a laptop to throttle performance or, in the case of older operating systems, lock up entirely.

Some attackers take the stealthy opening a step further by forcing the hidden window to go fullscreen. Once it occupies the entire screen, the user is presented with a banner that cannot be closed without using task‑manager shortcuts. This technique is often used in phishing schemes, where the overlay displays a fake login form that looks identical to a legitimate site. The user, unaware of the hidden origin, enters credentials that are then harvested by the attacker.

The sudden appearance of an unexpected tab is also a psychological shock. Users who are immersed in a task are forced to refocus when a pop‑under takes over the foreground. The frustration that follows - coupled with the feeling of being deceived - can lead to a negative impression of the site or brand. Over time, repeated exposure to these tactics may make users wary of clicking on any new links, even legitimate ones.

Trust erosion is a silent but powerful side effect. When users sense that a site is using hidden ads, they begin to doubt the authenticity of other content presented by the same domain. This skepticism extends beyond the individual page to the entire brand, especially if the pop‑under is perceived as a low‑quality tactic. In sectors where trust is paramount - such as finance, health, or e‑commerce - this loss of confidence can translate into lost customers and revenue.

From a business perspective, the negative ripple effects are hard to ignore. Web analytics often show a sharp decline in bounce rates for pages that trigger pop‑unders, but the overall traffic can still dip as users leave sites for fear of being bombarded with hidden ads. Advertisers who rely on high click‑through rates may find that the short‑term gains are outweighed by long‑term damage to the site’s reputation and search‑engine rankings.

Long‑term consequences reach beyond immediate traffic. Search engines increasingly favor user‑centric signals - such as dwell time and low bounce rates - when ranking pages. A site riddled with pop‑unders will see its signals degrade, pushing it down the results list. Moreover, word‑of‑mouth can spread quickly in the digital age; a single negative review about hidden advertising can deter potential visitors. In essence, the cost of a pop‑under extends far beyond the click, impacting brand perception, user trust, and ultimately the bottom line.

Another subtle impact is on accessibility. Screen readers and other assistive technologies may inadvertently announce the opening of a hidden tab, confusing users who rely on auditory cues. Similarly, keyboard navigation can be disrupted when focus shifts to an unseen window, making it difficult to return to the original page. Web developers who ignore these scenarios expose themselves to accessibility complaints and potential legal challenges under the Americans with Disabilities Act or equivalent regulations in other countries.

Legal and Ethical Concerns

In the legal arena, pop‑unders sit at the intersection of advertising law, privacy regulations, and consumer protection statutes. In the European Union, the e‑Privacy Directive - later reinforced by the General Data Protection Regulation - requires that any non‑essential cookie or tracking script be preceded by informed consent. Because pop‑unders often rely on tracking pixels or third‑party scripts to decide whether to fire, they risk violating that consent requirement. In the United States, the Federal Trade Commission has issued guidance that any advertising that misleads or tricks users, such as pop‑unders that conceal their presence, falls under deceptive advertising rules.

The FTC’s Deceptive Advertising Act mandates that any claim or presentation that misleads the average consumer be prohibited. Pop‑unders that open without clear disclosure violate this act because the user is unaware of the new window until a later moment. Cases in the past have seen fines reaching six figures, and plaintiffs often argue that the hidden nature of the ad constitutes a 'bait‑and‑switch' scenario. The key legal question is whether the ad was presented in a manner that could reasonably lead the user to believe that clicking the link would result in the content they saw.

Under EU law, the e‑Privacy Directive’s Cookie Directive requires explicit opt‑in before any non‑essential cookie can be placed. Because pop‑unders frequently embed third‑party trackers to identify whether a user has previously seen an ad, they are often in breach if they do so without consent. Additionally, the GDPR’s consent standards insist that consent must be granular, specific, and freely given - principles that clash with pop‑under tactics that blanket‑approve all ads upon the first site visit. Failure to comply can trigger penalties of up to 4% of a company’s annual worldwide turnover.

Other jurisdictions have begun to mirror these protective stances. In the United States, California’s Consumer Privacy Act (CCPA) grants residents the right to opt out of the sale of their personal data, which includes data used to target pop‑unders. Brazil’s Lei Geral de Proteção de Dados (LGPD) imposes similar obligations, while Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) demands transparency in how data is collected for advertising. These regulations collectively raise the legal bar for any ad that hides its presence, demanding clear disclosure and user choice.

From an ethical standpoint, pop‑unders challenge the principle of informed consent. Users typically give permission to receive content when they explicitly agree - by checking a box or clicking 'accept' - but they rarely anticipate an unseen window launching in the background. The covert nature of the ad violates the user's right to make an autonomous choice about what they view. Advertisers face a dilemma: push for higher click‑through rates through stealth tactics or prioritize transparency and user trust, a choice that carries long‑term brand implications.

Legal actions against pop‑under operators have already materialized. The Federal Trade Commission filed a complaint in 2020 against a network that used pop‑unders to drive affiliate commissions, citing violations of deceptive advertising laws. The case resulted in a settlement that imposed a multimillion‑dollar fine and required the network to cease using pop‑unders entirely. Similar actions have been taken in Europe, where regulators have fined companies for deploying hidden advertising that contravenes both the e‑Privacy Directive and GDPR, reinforcing that regulatory bodies view pop‑unders as a significant risk to consumer protection.

Looking ahead, regulators are likely to tighten enforcement around stealth advertising techniques. Emerging standards, such as the Web Monetization Initiative, aim to provide clearer attribution and consent mechanisms for online ads. For businesses, adopting a transparent model - displaying ads in clear overlays, offering opt‑out links, and publishing privacy notices - will reduce legal exposure and rebuild user trust. Those who continue to employ pop‑unders will face not only regulatory scrutiny but also a shrinking audience that increasingly values privacy and a non‑intrusive browsing experience.

Defending Against Pop Unders

Modern browsers have evolved to treat any attempt to open a window without a clear user trigger as suspicious. Chrome, Firefox, and Edge now only honor window.open calls that stem directly from a click or keypress event. Extensions such as uBlock Origin or Ghostery detect and queue window.open calls that miss the focus flag, preventing them from launching until the user deliberately clicks a link. By relying on built‑in blockers, most users can shield themselves from pop‑unders without changing their browsing habits.

From a technical standpoint, pop‑under scripts often use a two‑step process: they first open a window with minimal dimensions and then, after a short delay, call focus() to bring it to the foreground. Browsers now inspect the event stack; if the focus call occurs outside of the original event, the new tab remains behind. Developers can replicate this behaviour safely for legitimate pop‑ups by setting the window’s feature string to include 'noopener' and ensuring focus is applied only when the user interacts again.

A straightforward way to keep links from turning into hidden windows is to employ the target='_blank' attribute in conjunction with rel='noopener noreferrer'. This combination ensures that the browser opens the link in a new tab and immediately gives it focus, while also severing the reference that the new page has to the original. By avoiding window.open altogether, developers sidestep the focus rules that browsers enforce, making the behavior predictable for both users and automated tests.

Ad placement itself plays a role in user experience. Inline banners that sit within the page’s flow avoid the need to open a new window altogether. Overlay ads that partially cover content still allow the user to close the ad with a single click, preserving control. When a site must use a separate window, it should do so with a clear call‑to‑action, an explicit consent prompt, and an unobtrusive close button that remains visible at all times.

End‑user extensions remain a powerful line of defense. Script blockers like NoScript or ScriptSafe disable JavaScript on known pop‑under domains, while privacy‑focused add‑ons automatically strip tracking parameters from URLs. Some extensions even offer a 'Pop‑Under Shield' mode that monitors for new window events and closes them instantly if they do not have a visible frame. Users who rely on such tools can effectively neutralise pop‑unders without changing the sites they visit.

For developers, the first rule of thumb is to keep any new window request tied to a user action. Avoid calling window.open on page load or in a setTimeout that fires automatically. If you must create a new tab, use the target='_blank' syntax and let the browser handle focus. Also, test across browsers to confirm that the window does not remain hidden; the same code may behave differently in Safari versus Chromium.

Finally, compliance teams should monitor their own advertising inventory. Tools like Ghostery's Insight or the OpenTelemetry SDK can log when a page triggers window.open without focus. By auditing these events and cross‑checking them against consent records, organizations can verify that they are not deploying covert pop‑unders. A disciplined approach to tracking, combined with a clear disclosure policy, will keep a site compliant and maintain user trust.

An often overlooked strategy is to pre‑load content via hidden iframes that load in the background but do not open a new tab. By embedding a small frame that fetches the ad content silently, the page can still deliver the desired message without triggering the browser’s pop‑under heuristics. The key is to keep the iframe’s height and width minimal and to set its 'display:none' style so the user never sees the frame. This technique is sometimes used for tracking scripts but can be repurposed for benign content, reducing the risk of being flagged as intrusive.

In the long run, the most sustainable defense comes from fostering a culture of transparency. Every ad that surfaces - whether inline, overlay, or new tab - should be accompanied by a concise explanation of why it appears, how it benefits the user, and an explicit opt‑out mechanism. When developers embed these signals into their markup, users feel empowered and less likely to resist. This approach not only sidesteps regulatory pitfalls but also aligns with the broader shift toward privacy‑first web design that prioritises user control over aggressive monetisation.