Next time this happens please "View Page Source" of your HTML (RH click in Firefox to do that), and capture the entire source of that page into a file (select all, copy, paste). This can be provided to the forum administrators or checked by someone who is familiar with how HTML can have embedded scripting.
Do this before refreshing the page, in case the corruption is done randomly at a low frequency.
Give it a day or two. 
Once we get an example (I should have done it myself yesterday) we can see where the errant code is - perhaps inside a signature.
Its pretty easy to isolate now that you jogged my memory even if I cannot actually see it here...
In Chrome open the developer console
Set to retain log
Wander around the french section as mentioned by others (seems to be easier to make it happen in there)
Console will in may case show it in RED.
Seems somehow related to the following but have a couple more checks to do.
Request URL:http://forum.arduino.cc/cron.php?ts=1488932070
Request Method:GET
Status Code:500 Internal Server Error
Remote Address:54.167.252.43:80
Response Headers
view source
Connection:keep-alive
Content-Type:text/html
Date:Wed, 08 Mar 2017 00:14:41 GMT
Server:nginx/1.11.1
Transfer-Encoding:chunked
X-Powered-By:PHP/5.4.35-1~dotdeb.1
Request Headers
view source
Accept:image/webp,image/*,*/*;q=0.8
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-CA,en-GB;q=0.8,en-US;q=0.6,en;q=0.4
Connection:keep-alive
Cookie:arduino_sso_authorized=1; PHPSESSID=ae811dec468b3804681f1723fb977b9df47d9fdd
DNT:1
Host:forum.arduino.cc
Referer:http://forum.arduino.cc/index.php?board=75.0
User-Agent:Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Query String Parameters
view source
view URL encoded
ts:1488932070
Name
analytics?ab
index.php?api&pm&callback=unreadpm&callback=jQuery111002524402752784225_1488932084346&_=1488932084347
ga.js
cron.php?ts=1488932070
index.php?action=profile;area=alerts_popup;counter=0
This seems to be a suspect but if somebody can rule it out for me.
I know the IP is Arduinos so don't bother checking that side.
Its the request that I would like to rule out.
Request URL:http://forum.arduino.cc/cron.php?ts=1488932070
Request Method:GET
Status Code:500 Internal Server Error
Remote Address:54.167.252.43:80
Anyone know if this is legit ?
.panel.ad{
/*height: 380px;*/
height: 367px;
padding: 0;
background: #f1f1f1;
background: url(http://placekitten.com/g/304/367) no-repeat;
Hi Travis..
I think Chrome will still pick it up even if its a sig.
I noticed a couple of times before I set it to retain the log that there were a couple of items going red then suddenly they were no longer there.
Once I set the retain flag I saw that it kept the red ones.
Be nice to have a little more to go on though as I was just stabbing in the dark with what I saw.
travis_farmer:
will do. so far nothing of value, but i will browse around various groups.if it is in a signature, they could change their sig for just a moment, it changes in all their posts, then they change it back real quick. could be hard to find.
Even so, the "bad" signature will be captured in the static page data you receive on your PC. Thus we can see both where the data is (eg. signature, bio, subject) and also who is doing it.
For those using Firefox, there is an option to log (navigate to about:networking). That may prove enlightening.
@ Nick.
Seeing a link to "cloudfront.net" I know some of your Amazon stuff uses "cloudfront" but would that be different from the ".net" seen here ?
"dcw9y8se13llu.cloudfront.net"
There was also quite a few hits on cloudfront.net redirects and malware when I searched google for it along with lesser references to Amazon.
Still seeing the "http://placekitten.com/g/304/36" but if that is irrelevant let us know.
Ballscrewbob:
Seeing a link to "cloudfront.net" I know some of your Amazon stuff uses "cloudfront" but would that be different from the ".net" seen here ?
It's not my stuff, and I am not totally sure what the forum guys are doing. The pages seem very complex to me. They take a lot longer to load than the StackExchange ones.
Not my computer 
But i never had it again since i opened the thread.
I'm not so often here like others but then i wonder it happens just to a view people
and others who are here everyday don't have it...
travis_farmer:
this may be a little more deep rooted that we thought.
The virus knows you weren't logging so it attacked just then! You are right, this is very sinister.
Was there more? The first few bytes translate to "GIF89a" - so it looks like GIF picture.
Anyone tell me if this might be related ?
/Themes/default/scripts/script.js?alph21
Severity: Potentially Suspicious
Reason: Detected potentially suspicious content.
Details: Potentially suspicious obfuscated PHP threat
Offset: 8614
Threat dump: View code
Threat dump MD5: 1D1C948FCDE804A21B277F735BCB171D
File size[byte]: 53079
File type: ASCII
Page/File MD5: 577F6B9910EC200A20F7C90B4E31776A
Scan duration[sec]:
Code list from above scan.
[[\x8a\x8c\x8e\x9f\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf]]
Currently pushing site through some scanners.
Also seems Arduino site is on some blacklists !
That according to a couple of site scanners.
I used a few of the sites from this selection HERE
If that's of any help to anyone.
Just fed it "www.arduino.cc"
Odd that you mention that as "load times" were mentioned a few times as being an issue with the site overall performance on some of the site checks.
Cookie: _ga=GA1.2.358912710.1467879062; arduino_sso_authorized=1;
I smile when I see that in cookies. You can just imagine someone making a custom cookie:
Cookie: _ga=GA1.2.358912710.1467879062; forum_administrator=1;
When I store a cookie it is just a random string I generate. Then I lookup that person on the database. All the stuff I need to know (for example, are they an administrator?) is on the host side where it can't be got at. It's just nuts to store actual information (like, are they authorized or not?) onto the client side.
Hi Travis
travis_farmer:
just a brainstorm, i don't have code for it yet. one flaw i can see is if the user fails to log-out, and simply closes the browser.~Travis
That would be me all the time especially when swapping in and out of DEV and PROD create and the forums.
SB s&D is ok but a better freebie is MBAM (Malwarebytes) and certainly worth much more than the free price LOL
travis_farmer:
that is a very good point. but what happens if somebody knows what random string belongs to the administrator?
They shouldn't know it. When you log on the system generates the random string. It is quite long so is unlikely to be stumbled-upon by accident. It isn't displayed anywhere, it's just a cookie. Conceivably I could store the IP address that obtained the cookie as well, and make sure they match, but with people who have dynamic IPs it would mean logging in (to the forum) every time their service provider assigns them a new IP.
Plus, with NAT, everyone in (say) a school would have the same IP, so if someone managed to find your cookie and use it, then the IP address would still match.
I know the IP addy is used but in what regard I don't know as I play with a real VPN here and change things up on occasion with no ill effects getting in and out of the forum. Pretty sure its more user name and PW that are involved.
More out of curiosity but....
How much of .org is set to link into .cc nowadays content wise
Asking as I get "NOT secure" when I drop in there and a pretty plain page as if lots of things are not working ?
EDIT this was the link I used "Arduino - Home"
Not posted as a live link !