We take data privacy and security very seriously and have outlined the most important aspects of what we do in Hotjar’s Compliance, Legal and Security Knowledge Base.
Regarding the recent log4j vulnerabilities (https://nvd.nist.gov/vuln/detail/CVE-2021-44228) and (https://nvd.nist.gov/vuln/detail/CVE-2021-45046), we did investigations on Friday, 10 and Wednesday, 15 December 2021, respectively.
We initially found 2 internal servers used in our CI/CD processes that had the affected libraries present. The servers were upgraded and confirmed the libraries weren’t being used anymore. During the following week we continued monitoring and ran checks to confirm we didn’t find any more usage of the library.
For more context, by and large Hotjar doesn’t use the JVM stack outside of very specific tools (like the 2 servers mentioned above) or relies on providers like AWS to manage that stack for us (Opensearch / Kafka).
Your security and that of your end-users has not been affected in any way and no action is required from your side. We will continue to monitor the situation closely and update you promptly and transparently if anything changes.