"They use this viewability data for who is a good publisher and who is a bad publisher," said de Jager in a phone interview from London on Thursday. "This is being used by the savviest of the performance marketers in the display advertising world."
It means that those marketers could stand to make more money since they are delivering what would be considered higher quality ad inventory.
Spider.io said it notified Microsoft of the problem on Oct. 1, which acknowledged the issue but said it didn't have immediate plans to patch it. The problem affects all Microsoft browser versions going back to IE6.
Microsoft officials did not have an immediate comment on Thursday.
Spider.io discovered the problem within the course of its security work and then later found out it was actually being used in order to track advertisements, de Jager said.
He said he recently had a conversation with a major ad analytics company in New York that was aware of the flaw. The company, he said, chose not to use the problem for its ad tracking but was having to explain to clients why they were not using it to measure viewability.
"It is an industry in flux at the moment," de Jager said. "It's an IP [intellectual property] battle on who can deliver that new metric."
As long as users keep the exploitive display advertisement open, no matter if the browser is minimized, their mouse movements anywhere on a screen can be tracked.
It also has other risks: it could allow an attacker to collect information typed into a software or virtual keyboard, which are sometimes used to prevent people from typing on a real keyboard, avoiding malicious software that record keystrokes.
Send news tips and comments to email@example.com. Follow me on Twitter: @jeremy_kirk