B-80%
Quality Score
6
Pages
155
Issues
7.4
Avg Confidence
7.6
Avg Priority
33 Critical94 High28 Medium
>_ Testers.AI
AI Analysis
Men's Wearhouse scored B- (80%) with 155 issues across 7 tested pages, ranking #12 of 14 US retail sites. That's 50 more than the 105.1 category average (14th percentile).
Top issues to fix immediately: "Invalid srcset descriptor causing image loading failures across multip" โ Replace the invalid srcset generation logic that uses 'width=0'; "Invalid srcset descriptors causing image loading failures" โ Fix the image processing pipeline to generate valid srcset descriptors with correct width values; "Multiple images with missing or empty alt text preventing screen reade" โ Audit all images on the page to determine which are informative versus purely decorative.
Weakest area โ accessibility (6/10): Basic accessibility present but lacking in depth. Color contrast ratios need verification, alt text implementation unclear, and...
Quick wins: Add skip-to-content navigation link and improve keyboard navigation throughout the site. Implement WCAG 2.1 AA compliant color contrast ratios, particularly in promotional sections.
Qualitative Quality
Men's Wearhouse
Category Avg
Best in Category
Pages Tested ยท 6 screenshots
Homepage
menswearhouse.com
menswearhouse.com
menswearhouse.com
menswearhouse.com
menswearhouse.com
Detected Issues ยท 155 total
1
User Tracking Identifiers and Device Fingerprinting Exposed in Analytics API Calls
CRIT P9
Prompt to Fix
Our Menswearhouse.com application is exposing user privacy data in console logs and API calls to third-party tracking services. The issue: User Agent strings, device fingerprinting data, tracking identifiers (scid), shopping cart URLs, and behavioral event data are being logged and sent to third-party analytics endpoints (Snapchat and Pinterest via LiveRamp). This violates privacy-by-design principles and may breach GDPR/CCPA. Fix this by: 1) Removing all User Agent and device fingerprinting signals from third-party API payloads; 2) Removing shopping cart page URLs from tracking calls; 3) Removing or encrypting tracking identifiers like 'scid'; 4) Implementing server-side analytics instead of client-side third-party tracking; 5) Adding explicit consent checks before any third-party data transmission; 6) Implementing data minimization to send only essential non-identifying event types to third parties. Ensure no sensitive user data is logged to browser console and no PII is sent to third-party domains without explicit user opt-in.
Why it's a bug
The console logs expose multiple sensitive tracking identifiers and device fingerprinting data being sent to third-party analytics services (Snapchat and Pinterest via LiveRamp). Specifically: (1) User Agent strings are logged and sent to third-party tracking endpoints, enabling device fingerprinting; (2) Partner identifiers like 'scid' and 'partner_name' (liveramp) are exposed; (3) Full page URLs including shopping cart context are sent to third-party trackers; (4) Event IDs and timestamps enable user behavioral profiling. This data exposure violates privacy principles, enables cross-site tracking, and may violate GDPR/CCPA regulations regarding third-party data sharing without explicit user consent.
Why it might not be a bug
These network requests may be intentional analytics integrations with proper consent mechanisms in place. However, the exposure of this data in console logs is problematic regardless of backend consent implementation.
Suggested Fix
1) Remove User Agent strings from being sent to third-party analytics endpoints - use server-side analytics instead; 2) Implement privacy-by-design: remove PII and device fingerprinting signals from all third-party tracker payloads; 3) Add consent checks before sending any data to third-party domains; 4) Do not log sensitive tracking identifiers or device fingerprinting data to console; 5) Implement data minimization - only send absolutely necessary event data to third parties
Why Fix
Exposing user device fingerprinting data, behavioral tracking IDs, and shopping context to multiple third-party trackers (Snapchat, Pinterest, LiveRamp) creates significant privacy risks. Users expect their shopping behavior and device information to remain private. This exposure could enable unauthorized profiling and violates user privacy expectations and data protection regulations.
Route To
Privacy Engineer / Data Protection Officer / Backend Analytics Engineer
Page
Tester
Pete ยท Privacy Console Log AnalyzerTechnical Evidence
Console:
[LOG] CA hashcode: e1913d8c3b94f364c586e391f5281185
[ERROR] {"message":"Network Error",..."url":"https://capi.analytics.rlcdn.com/send-events/3041afb7-8374-4111-8e95-43b2fe9b6a17","method":"post","data":"{\"events\":[{\"event_manager\":[\"snapchat\"],\"event_type\":\"PAGE_VIEW\",\"event_id\":\"1773710686892\",\"event_time\":1773710686,\"event_source_url\":\"https://www.menswearhouse.com/cart\",\"user_data\":{\"client_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)...\",\"partner_name\":\"liveramp\",\"scid\":\"uwlKazTV7C5BQJtfGN6iEboeBu86dxw7\"}Network:
POST https://capi.analytics.rlcdn.com/send-events/3041afb7-8374-4111-8e95-43b2fe9b6a17 and POST https://pinterest-capi.analytics.rlcdn.com/send-events/3041afb7-8374-4111-8e95-43b2fe9b6a172
User Tracking Identifiers and Device Fingerprinting Exposed to Third-Party Analytics
CRIT P9
Prompt to Fix
Remove all sensitive tracking identifiers and device fingerprinting data from console logging. Specifically: (1) Strip or hash the 'scid' field before console output. (2) Remove full 'client_user_agent' strings from console logs - replace with a generic indicator like 'user_agent_logged_securely'. (3) Remove 'partner_name' references that indicate third-party data brokerage from console output. (4) Implement a sanitization function that filters out any user_data objects containing PII-adjacent fields before they reach console.log(). (5) Move detailed analytics payloads to a secure backend logging system that isn't accessible to console inspection. (6) Audit all axios/XHR requests being logged to analytics endpoints and ensure sensitive fields are only sent server-side or require explicit user consent before transmission.
Why it's a bug
The console logs expose sensitive user tracking data being sent to third-party analytics endpoints (Snapchat and Pinterest via LiveRamp). The exposed data includes: (1) a unique client identifier 'scid' (uwlKazTV7C5BQJtfGN6iEboeBu86dxw7), (2) full user agent strings that enable device fingerprinting, (3) partner name 'liveramp' indicating data brokerage, and (4) page URLs and visit events tied to these identifiers. This enables cross-site user tracking and profiling without explicit user consent visibility in console. The presence of 'event_id' timestamps and 'scid' allows third parties to build comprehensive user profiles across multiple websites.
Why it might not be a bug
Some might argue that analytics tracking is standard practice and disclosed in privacy policies. However, the exposure of these identifiers in console logs represents a security and privacy risk: (1) it makes tracking identifiers discoverable to malicious scripts, (2) it violates privacy-first principles by logging PII-adjacent data, and (3) it may violate GDPR/CCPA requirements for explicit consent before such tracking.
Suggested Fix
(1) Remove or hash tracking identifiers before logging to console. (2) Implement a check to prevent sensitive user data fields (scid, client_user_agent, partner_name) from being included in console output. (3) Log only non-identifying metadata. (4) Move detailed tracking payloads to server-side logging or use secure, non-console data transmission. (5) Ensure all third-party tracking calls require explicit user consent before execution.
Why Fix
Exposing tracking identifiers in console logs creates multiple privacy and security risks: (1) malicious browser extensions or XSS attacks can scrape these identifiers, (2) users can discover tracking practices they didn't explicitly consent to, (3) regulatory compliance issues with GDPR/CCPA if tracking lacks proper consent mechanisms, (4) reputational damage if users discover sophisticated profiling infrastructure in console output.
Route To
Privacy Engineer / Data Protection Officer / Frontend Security Engineer
Page
Tester
Pete ยท Privacy Console Log AnalyzerTechnical Evidence
Console:
{"events":[{"event_manager":["snapchat"],"event_type":"PAGE_VIEW","event_id":"1773710678812","event_time":1773710678,"event_source_url":"https://www.menswearhouse.com/c/mens-clothing-sale/clearance","user_data":{"client_user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36","partner_name":"liveramp","scid":"uwlKazTV7C5BQJtfGN6iEboeBu86dxw7"},"custom_data":[{"key":"device_model","value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"}]}]Network:
POST to https://capi.analytics.rlcdn.com/send-events/3041afb7-8374-4111-8e95-43b2fe9b6a17 and https://pinterest-capi.analytics.rlcdn.com/send-events/3041afb7-8374-4111-8e95-43b2fe9b6a17 containing user tracking identifiers and device fingerprinting data3
Sensitive User Data and Partner IDs Exposed in Analytics Network Requests
CRIT P9
Prompt to Fix
Our application is logging complete network request payloads containing sensitive user data to the browser console in production. Specifically, axios error handlers are logging full config objects that include: analytics partner IDs (snapchat, liveramp), user tracking identifiers (scid values), client user agents, page URLs revealing cart state, and event payloads. This creates a security vulnerability where malicious browser extensions or XSS attacks can capture sensitive tracking and identification data. Please: (1) Modify the axios error handler to log only the error message and HTTP status code, NOT the full config object containing request data; (2) Add an environment check to only log detailed error info in development (check NODE_ENV or a DEBUG feature flag); (3) Implement a data sanitization function that strips user_data, scid, partner identifiers, and URLs from any console output before reaching production; (4) Add a build-time security check using a linter rule (or custom script) to flag when sensitive data patterns are logged to console in non-dev code.
Why it's a bug
The console logs expose detailed network request payloads containing sensitive user identifiers and tracking data being sent to third-party analytics services. Specifically, the logs show: (1) Snapchat tracking partner ID and LiveRamp partner configuration, (2) User agent strings combined with partner identifiers, (3) Page URLs revealing user cart state, (4) Event IDs and timestamps that could be correlated across sessions, (5) A 'scid' identifier ("uwlKazTV7C5BQJtfGN6iEboeBu86dxw7") which appears to be a user-tracking identifier. This information, when logged to the browser console, could be captured by malicious browser extensions, XSS attacks, or compromised debugging tools. The combination of user agent, page context, and partner identifiers enables fingerprinting and cross-site tracking amplification.
Why it might not be a bug
Analytics data transmission is a normal business practice and these APIs are intentionally called. However, the issue is not the APIs themselves but their full request/response payloads being logged to the console in production, which violates security best practices around sensitive data handling.
Suggested Fix
(1) Remove or minimize console logging of full network request/response payloads for third-party analytics calls. (2) If logging is needed for debugging, implement conditional console logging that only activates in development environments via feature flags or environment checks. (3) Sanitize any console output to exclude partner IDs, user identifiers (scid, client tokens), and page URLs that reveal user state. (4) Implement Data Loss Prevention (DLP) checks in build pipeline to prevent sensitive patterns from reaching production console logs. (5) Review axios error handling to log only error codes/messages, not full config objects containing request data.
Why Fix
Exposing user identifiers, partner tracking IDs, and behavioral data (cart state, page visits) in console logs significantly increases attack surface. Malicious actors can exploit this data for session hijacking, identity theft, cross-site tracking amplification, and targeted phishing. Compliance frameworks like GDPR and CCPA have specific requirements around preventing unauthorized user data exposure. Fixing this prevents unauthorized data collection visibility and reduces the effectiveness of browser-based reconnaissance attacks.
Route To
Security Engineer / Backend Privacy Engineer / Analytics Platform Owner
Page
Tester
Sharon ยท Security Console Log AnalyzerTechnical Evidence
Console:
[LOG] CA event: instantaneous | cache before optimizations: false
[ERROR] {"message":"Network Error","name":"Error",..."data":"{\"events\":[{\"event_manager\":[\"snapchat\"],\"event_type\":\"PAGE_VIEW\",...\"user_data\":{\"client_user_agent\":\"Mozilla/5.0...\",\"partner_name\":\"liveramp\",\"scid\":\"uwlKazTV7C5BQJtfGN6iEboeBu86dxw7\"},...}Network:
POST https://capi.analytics.rlcdn.com/send-events/3041afb7-8374-4111-8e95-43b2fe9b6a17 with full payload containing user_data, scid, partner_name, and event_source_url; POST https://pinterest-capi.analytics.rlcdn.com/send-events/3041afb7-8374-4111-8e95-43b2fe9b6a17 with similar sensitive payload