What is happening in porn sites where if you tap anywhere you get to random tabs
Executive summary
1. The quick cause: on many websites — especially mobile — a tap can trigger JavaScript or server-side behavior that opens a new tab or redirects to an adult site; that behavior can be injected code, aggressive ad/affiliate scripts, or local browser infection/extension activity [1][2][3]. Evidence from site-operator and forum reports shows the symptom is common across browsers and hosting setups, and is not a single root cause [4][5].
2. The mechanics — how a single tap spawns random porn tabs
A simple tap can fire JavaScript event handlers or meta-refresh instructions that either open a new window/tab or replace the current page; attackers and some ad scripts exploit click handlers to dynamically fetch and insert third‑party URLs (sometimes a random adult URL returned by a remote fetch) and then navigate the browser [2][1]. On mobile browsers, popups or redirects can appear as separate tabs or replace content because of how mobile UIs present new windows, making the behavior feel like “random tabs” opening from no obvious click [5][6].
3. Common sources found in reporting
Investigations and community troubleshooting point to three frequent origins: compromised site code or hosting (malicious PHP files, infected index files, .htaccess rules or database payloads served server‑side) that trigger intermittent redirects [1][2]; third‑party/ad network scripts or “partner” content on adult-oriented or ad-heavy sites that intentionally open partner pages (not always labeled malicious in security discussions) [3]; and local browser problems — infected extensions, cached malware, or device compromise — that cause redirects even after site files are cleaned (forum and support threads report continuing redirects despite reinstall or resets) [7][5][4].
4. Why the redirects look random and intermittent
The randomness reported by site owners and users — the redirect might happen on one click and not on the next — is consistent with dynamically fetched redirect targets, conditional JavaScript that only runs for certain user‑agents or referrers, and ad networks that rotate partner URLs; some malicious scripts deliberately check for automated scanners and only fire under certain conditions, which makes reproduction difficult [2][4]. Community reports describe fresh WordPress installs still showing redirects, suggesting either an upstream injection (hosting, CDN, DNS) or client‑side artifacts that persist despite file resets [4][1].
5. Practical investigation and remediation steps reported by practitioners
Troubleshooting advice from site administrators and support forums emphasizes: disable JavaScript to confirm client‑side script involvement (useful diagnostic) [1]; search the filesystem and database for injected PHP or JS and look for unexpected files or cron jobs [1][2]; audit plugins, themes, and CDN/Cloudflare/DNS settings since redirects can come from upstream services [4]; and on the user/device side, remove suspicious extensions, clear browser profiles or reinstall the browser if malware appears persistent [7][5]. Community threads also recommend monitoring Google Search Console and support forums for evidence of redirects flagged by crawlers [8].
6. Alternative perspectives and limits of reporting
Security community posts warn that some adult or ad networks intentionally open partner tabs as part of their monetization flows and label that “not malicious” though annoying, which complicates a binary “site hacked vs. malware” view [3]. Reporting in the provided threads documents symptoms, diagnostic tips, and repeated real‑world cases but does not comprehensively attribute who profits or the full supply‑chain of ad networks and affiliates; those specifics are outside the cited sources and would require ad‑network telemetry or server logs to confirm [4][2].