Version 1.3.5
The site owner was logged into admin and looking at Who's Online. She noticed a session with her IP address and an active cart containing several items, which she had not put there. On visiting the store she found that these items were displayed in her cart.
I checked the site's apache logs. The only add_product hits that day (20 of them) all came from a single other IP address, in another country. I looked at all hits from this latter IP address and found that most had a zenid in the URL - I presume this occurs when cookies are disabled. A few different zenids occurred, as well as some requests with no zenid. There were many hits from this IP over a total of 8 hours, their pattern suggesting human rather than script activity. However the referrer field was always blank.
I pulled out the products_ids of the add_product hits and the site owner confirmed that these products were all among those in her phantom cart. (There were multiple-adds too, I don't have the ids for these.)
Bookmarks