Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
SWFObject is an open, source JavaScript library that detects whether the visitor's browser supports Adobe Flash and, if so, embeds an .swf file in the page. It was the de, facto standard for Flash embedding from 2007 until Flash Player was discontinued by Adobe on 31 December 2020. Detecting SWFObject on a site today almost always indicates legacy code that no longer runs in any modern browser, with all the security risk that implies.
SWFObject is an open, source JavaScript library that became the de, facto standard for embedding Adobe Flash (.swf) content in web pages from 2007 onwards. It detects whether the visitor''s browser supports Flash, falls back to alternative HTML when it does not, and replaces a placeholder element with the Flash object using DOM manipulation rather than the older object/embed HTML tags.
Adobe ended support for Flash Player on 31 December 2020 and every modern browser (Chrome, Edge, Firefox, Safari) actively blocks Flash content. Pages still loading SWFObject either silently fail or display fallback content. Worse, attackers regularly exploit the visual void by serving fake Flash update prompts that install malware. SWFObject on a public site in 2026 is therefore a signal of unmaintained code, not a working feature.
The SWFObject library itself does not collect or transmit data. The Flash content it loads, however, could write Flash, level Local Shared Objects (LSO, aka Flash cookies) up to 100 KB in size, outside the regular browser cookie store. Most consent management platforms never detected LSOs, which is one reason Flash, era trackers persisted for years after users believed they had been cleared.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Running end, of, life software on a public service is hard to defend under the GDPR Article 32 (state of the art security) and under NIS2 for in, scope operators. A site still serving SWFObject and .swf files is also likely to ship an outdated jQuery, an old WordPress core or unpatched PHP, the same generation of issues tends to come bundled. Auditors take SWFObject as a strong hint that the wider stack needs a full review.
Remove every reference to SWFObject and to .swf files. For video, replace with native HTML5 <video> (preferably self, hosted MP4/WebM) or with a consented embed of YouTube or Vimeo. For interactive content, rebuild with HTML5 Canvas, SVG or modern JavaScript frameworks. For animations, use Lottie, Rive or simple CSS. Keep an inventory of which pages had Flash so you can confirm none was missed during the migration.
Websites using SWFObject must obtain user consent under GDPR regulations.
DPIA considerations
SWFObject itself is a static script that does not collect personal data, so on its own it does not require a DPIA. The real risk is the Flash content it loads: (1) Adobe Flash Player has been blocked in every modern browser since January 2021, so users either see nothing or are tricked into installing a fake Flash plugin (malware vector); (2) any .swf file loaded from a third, party domain can set Flash, level cookies (Local Shared Objects) outside the regular browser cookie store, which most CMPs do not detect; (3) keeping a Flash embed on a public, facing site signals that the broader application has not been maintained for several years, increasing the likelihood of unpatched vulnerabilities elsewhere; (4) NIS2 and national security baselines may consider continued use of end, of, life software as an obvious shortcoming during an audit. The compliant response is migration, not configuration.
Sample consent text
Some legacy pages on this site historically used Adobe Flash content embedded with SWFObject. Adobe ended Flash support on 31 December 2020 and modern browsers no longer execute Flash. If you encounter such a page, please report it so we can replace it with an HTML5 alternative. No personal data is collected by the SWFObject library itself.
Third-party domains contacted
github.com/swfobject/swfobjectfpdownload.adobe.comget.adobe.comThis service may collect user data. Ensure GDPR compliance with FlowConsent.
None. SWFObject is a pure JavaScript library that loads .swf files but does not write to document.cookie itself. The Flash content it loads may, however, write Local Shared Objects (Flash cookies) up to 100 KB outside the regular browser cookie store.
For the library itself, no. For the Flash content it embeds, yes if that content writes Local Shared Objects or makes calls to a tracking server. In practice, since Flash no longer runs in 2026 browsers, the consent question is moot: remove the embed instead.
Not applicable for the library. Any underlying processing performed by the Flash content (analytics, ads, identity verification) needs its own legal basis, normally consent or legitimate interest with a balancing test.
SWFObject itself does not call out. Transfers depend entirely on where the .swf file is hosted and on what it does internally. Treat each embedded .swf as its own service.
Not for SWFObject. A DPIA may be triggered by the Flash content if it processes sensitive data or profiles users, but the right remediation is to retire the Flash content, not to assess it.
Migrate away. Replace Flash video with HTML5 <video>, Flash games with HTML5 Canvas or Rive, Flash banners with HTML5 ads, and Flash uploads with native multipart form HTML5. Then delete the SWFObject script reference and the .swf files from your repo.
Yes: native HTML5 (<video>, <audio>, <canvas>, SVG), Lottie or Rive for animation, Web Components for reusable widgets. There is no modern reason to embed Flash content.
Remove SWFObject mentions when you remove the library. If any Flash, era Local Shared Objects might still exist on returning visitors' machines, add a one, line note explaining how to clear them through the legacy Adobe Settings Manager.