I see your point. I can assure you, that this script isn't intended to do tracking or anything other malicious. But I also understand that you won't just take my word for it.
The purpose of the script is to embed our donation form and resize the iframe to fit the content. We also need a way to set the iframe url from the url of the embedding frame. Also in some cases we scroll to the iframe inside the page.
Regarding your points:
- mouse movements/scroll/clicks/status
I don't know if we even use this, or if it's just part of some library that is included.
We need scrollposition and size of the iframe, because in some cases we want to scroll to the donation form on the embedding web page. In any case, we only send scrollposition to the parent frame.
useragent checks
Those are for functionality checks only.
window size checks
This is also related to the resizing of the iframe or the location of the iframe relative to the viewport.
cookie sets/checks
This is related to cookie-banners on the parent website. We try to respect the cookie choice the user made and for that we read some cookies.
Linking to googleanalytics
Also related to cookie banners and we also try to pass the google analytics user id from the parent to our iframe. This is of course related to tracking, but we don't do the tracking and if no google analytics is present (because it's blocked or not included in the parent site) then this code does nothing.
Linking to onetrust
I think this one is related to the cookie banners described under "cookie sets/checks"
Generally you can check the network and JS message passing and you'll see that we only transfer data related to the functions described on top.