Verify

Hijack Exposure Score

Every link you publish gets a hijack exposure band: LOW, MEDIUM, HIGH, or NULL. The band is per link, not per network, because two links on the same network can score differently depending on the cookie mechanism each one uses. The score traces a specific failure pattern: the cookie-on-redirect attribution model that active class actions allege was systematically overwritten by browser-extension popups at checkout, routing commission from the creator to the extension operator. The Hijack Exposure Score is live in the free Link Audit.

Join the beta →

What it does

Assigns one of four bands to every link. LOW means the attribution mechanism survives the cookie-overwrite scenario, either because it uses server-to-server postback (no browser cookie to overwrite) or a dual link-plus-tracking-code signal where the network treats the code as authoritative. MEDIUM means a first-party cookie is in play, which is more resilient than a third-party redirect but still overwritable at checkout when the extension is operating on the merchant domain. HIGH means third-party redirect cookie attribution, the exact model that the Honey, Capital One Shopping, Klarna, and Rakuten class actions allege was overwritten by a hidden-tab mechanism at checkout, firing when any user interacted with the extension popup, including dismissal. NULL means a different failure class applies, not a clean result.
Attaches a case citation to every HIGH band. The four active cases alleging the hidden-tab cookie-replacement pattern are: PayPal Honey (N.D. Cal.), Capital One Shopping (E.D. Va., motion to dismiss largely denied June 2025), Klarna (S.D. Ohio), and Rakuten/Ebates (N.D./C.D. Cal.). Case names appear in plain text on the primary score surface; the expand panel shows the documented mechanism. Two operator-required notes accompany every citation: PayPal disputes the allegations, and PayPal announced January 2026 that the Selective StandDown mechanism was disabled. That second claim is independently unverified. VigiLink's posture is watchful and independent, not partisan.
Treats NULL as a different failure class, not as a safe result. Three link types score NULL: MMP deep links (app-install attribution governed by Apple SKAN or Google Play Install Referrer, a fundamentally different model where per-link commission loss is not scoreable in this version); session-only attribution like Booking.com, where any tab switch or browser close loses the commission directly without any extension involvement; and terminal-network-unknown, where the chain resolves to a domain outside our registry. In all three cases the output explains what the failure mode is, not simply that the score does not apply.
Tells you the two most actionable moves when a link scores HIGH or MEDIUM. First: add a discount code where the network treats it as authoritative (Awin Voucher Attribution, Impact Tracking Promo Codes). A code-plus-link dual signal means commission traces to the code even if the cookie is overwritten. Second: ask the brand whether their program uses server-to-server postback instead of cookie attribution. S2S is the only attribution mechanism a cookie overwrite cannot touch, because no browser cookie is involved at all.
Discloses what the score does not cover, on every result, not just when it seems relevant. The Audit does not check whether your specific audience has Honey, Capital One Shopping, Rakuten, or Klarna installed. It does not audit in-platform programs (TikTok Shop, Amazon Onsite, YouTube Shopping, Instagram Affiliate Reels). It does not score promo-code-only brand deals with no affiliate link. It does not apply per-merchant attribution-window overrides beyond the documented special cases. It does not run a live browser simulation with extensions loaded. The score models exposure from the attribution mechanism. We do not fake precision.

How it works

01
Classify the link
The Audit identifies the network, follows every hop in the redirect chain, resolves any wrapper layer (a Geniuslink, Lasso cloak, or Linktree host that sits in front of the real destination), and records the cookie mechanism: third-party redirect cookie (a cookie set on the network's own redirect domain, the mechanism at issue in the class actions), first-party server-set, first-party script-set, localStorage, session-only, server-to-server postback, or MMP. The mechanism is the input to the score; the network name is context.
02
Apply the score band
The cookie mechanism, plus any dual signal detected (a tracking promo code the network honors as authoritative, or a confirmed S2S postback), maps to LOW, MEDIUM, HIGH, or NULL. Two links on the same network can score differently: one with a code dual signal scores LOW while another without it scores HIGH. The score reflects the actual attribution pathway, not a blanket network-level label.
03
Attach the citation and the action lines
Every HIGH band gets a layered citation panel: a plain-language headline naming the alleged pattern, an expandable section with the documented mechanism and the active cases, and a set of concrete action lines (add a code dual signal, ask about S2S postback, note that litigation is active). The score, the citation, and the actions are all live in the free Link Audit.

What you’ll see

Hijack Exposure Score

This is where your links appear after a scan: graded, annotated, and ready to act on. Join the beta list to see your own results here when it opens.

Want the methodology write-up when it publishes?

We are preparing a deeper write-up of the scoring methodology and the case-action research behind it. Leave your details and we will send it when it goes live.

Related features

Link Chain Analyzer

Find the exact hop where your commission tag goes missing.

Cookie Validator

See how Safari actually handles your cookie, and what that costs you.

Cross-Browser Tester

Does your link pay out the same in Firefox? In the EU? Test it.

Beta

See this feature applied to your own links.

VigiLink is in active development. Join the beta list and we will reach out when the Link Audit opens, so you can see your score with real citations and the same coverage disclosure we surface to every creator.

Join the beta →

Hijack Exposure Score

Join the beta →