Multiple "wvdpforce" parameter in access log. Where it comes from

Question

In our apache access log, we found a lot of url ending with the parameter 'wvdpforce=1'

Anyone knows where this parameter come from?

Answer 1

JF Paris, I've encountered this problem too (it seems centered around France and began around February according to my research). From my logs, the behavior looks like some sort of browser hijack, not an injection bot. From what I could witness it doesn't seem harmful (no injection attempts in URL/POST) but I'd be very interested to have a definitive answer as well.