Extension Details
Context-Aware Verdict
The extension comes from Leaning Technologies Limited, a legitimate company known for developing CheerpJ technology for running Java applets in browsers. With 100,000 users and a solid 4.5-star rating from 280 reviews, it demonstrates reasonable user adoption and satisfaction. The extension serves a specific technical purpose - enabling Java applet functionality in modern browsers where native Java plugin support has been deprecated.
The scripting permission combined with activeTab access allows the extension to execute code on any website you visit after clicking the extension icon. The declarativeNetRequestWithHostAccess permission enables network request modification, which could potentially intercept or alter web traffic. While the storage permission is relatively benign for saving user preferences, the combination of these permissions creates a moderate attack surface. The alarms permission, though less concerning, allows the extension to run scheduled tasks.
This extension appears legitimate for its intended Java applet functionality, but the broad permissions warrant caution. Only install if you specifically need Java applet support for legacy applications or websites. Consider running it in a separate Chrome profile dedicated to sites requiring Java applets to limit exposure. Regularly review which sites you're using the extension on, and disable it when not actively needed. Monitor for any unexpected behavior or network activity when the extension is active.
Findings
Security Analysis Details
Required Permissions:
- scripting
- activeTab
- storage
- declarativeNetRequestWithHostAccess
- alarms
Content Security Policy:
- extension_pages: script-src 'self'; object-src 'self'
Embedded URLs (27 total):
| http://www.w3.org/2000/svg | http://www.w3.org/1999/xlink | |
| https://labs.leaningtech.com/feedback-appletrunner | https://jnlp-runner.leaning-technologies.workers.dev/verify?licenseKey= | |
| https://cheerpj.com/ | https://labs.leaningtech.com/docs/cheerpj-applet-runner | |
| https://github.com/leaningtech/cheerpj-applet-runner/issues/new | https://cheerpj.com/contact/ | |
| https://github.com/leaningtech/cheerpj-applet-runner/issues/new?&title=Bug+report+for:+ | https://microsoftedge.microsoft.com/addons/detail/cheerpj-applet-runner/ | |
| https://chromewebstore.google.com/detail/cheerpj-applet-runner/ | https://fonts.googleapis.com/icon?family=Material+Icons | |
| https://labs.leaningtech.com/cheerpj-applet-runner | https://leaningtech.com/ | |
| https://labs.leaningtech.com/payment-applet | https://labs.leaningtech.com/payment-jnlp | |
| https://labs.leaningtech.com/docs/cheerpj-applet-runner/licensing | https://github.com/golang/go/issues/28975 | |
| https://cheerpj.com/docs/licensing | http://www.brynosaurus.com/cachedir/ | |
| http://ocsp.example.net:80 | http://www.w3.org/TR/1999/REC-xslt-19991116 | |
| http://www.w3.org/2001/04/xmldsig-more#rsa-md5 | http://www.w3.org/2001/04/xmldsig-more#hmac-md5 | |
| http://www.w3.org/2001/04/xmldsig-more#md5 | http://some.company.com/cacert | |
| https://clients2.google.com/service/update2/crx |
Raw Manifest
{ "name": "CheerpJ Applet Runner", "icons": { "32": "cheerpjAR_32x32.png", "128": "cheerpjAR_128x128.png" }, "action": { "default_icon": "cheerpjAR_128x128_gray.png", "default_popup": "popup.html", "default_title": "CheerpJ Applet Runner Disabled" }, "storage": { "managed_schema": "storage_schema.json" }, "version": "2026.3", "background": { "service_worker": "bg.js" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "Run Java applets without installing Java", "permissions": [ "scripting", "activeTab", "storage", "declarativeNetRequestWithHostAccess", "alarms" ], "manifest_version": 3, "content_security_policy": { "extension_pages": "script-src 'self'; object-src 'self'" }, "web_accessible_resources": [ { "matches": [ "<all_urls>" ], "resources": [ "cheerpj/*", "init_applet.js" ] } ], "optional_host_permissions": [ "http://*/", "https://*/" ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.