[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

JPEG XL Viewer

Version 0.3.0 View in Chrome Web Store

Last scanned: about 12 hours ago

Extension Details

Rating: 4.4 ★ (28 ratings)

Users: 5,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension has a modest user base of 5,000 users with a solid 4.4-star rating from 28 reviews, suggesting generally positive user experiences. However, the lack of clear developer information and company details reduces transparency and accountability. The extension appears to serve a legitimate purpose - viewing JPEG XL image files, which is a newer image format not natively supported by all browsers.

Concerns:

The extension's permissions are extremely broad relative to its stated purpose. For a simple image viewer, having access to all websites and the ability to inject content scripts everywhere is excessive. The unsafe WebAssembly execution permission, while potentially necessary for image processing, creates additional attack surface. These permissions would allow the extension to monitor all browsing activity, access sensitive data on any website, and potentially execute hidden malicious code through WebAssembly.

Recommendations:

Consider running this extension in a separate Chrome profile dedicated to image viewing tasks to limit exposure. Before installation, verify you actually need JPEG XL support, as this format isn't widely used yet. Monitor the extension's behavior and consider alternatives with more restrictive permissions if available. Given the broad permissions, only install if you trust the developer completely, and regularly review if the functionality is still needed. The extension's legitimate use case doesn't justify the extensive access it requests.

Findings

HIGH

Broad Content Script Injection

This extension can inject scripts into any website. This means it could potentially read sensitive data, modify website content, or steal credentials.

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

Unsafe WebAssembly Execution

This extension's Content Security Policy allows 'wasm-unsafe-eval', which permits potentially dangerous WebAssembly code execution. This could be used to hide malicious code or perform CPU-intensive operations.

Security Analysis Details

Required Permissions:

declarativeNetRequest

Host Permissions:

<all_urls>

Content Security Policy:

extension_pages: object-src 'self'; script-src 'self' 'wasm-unsafe-eval'

Embedded URLs (15 total):

https://clients2.google.com/service/update2/crx	http://site.com/etc/etc
http://kripken.github.io/emscripten-site/docs/api_reference/preamble.js.html	https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Math/imul
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Math/fround	https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Math/clz32
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Math/trunc	https://github.com/google/closure-compiler/pull/3913
https://github.com/github/fetch/pull/92#issuecomment-140665932	https://emscripten.org/docs/getting_started/FAQ.html#how-do-i-run-a-local-webserver-for-testing-why-does-my-program-stall-in-downloading-or-preparing
https://github.com/emscripten-core/emscripten/pull/16917	https://github.com/google/closure-compiler/issues/3193
http://en.wikipedia.org/wiki/UTF-8#Description	https://www.ietf.org/rfc/rfc2279.txt
https://tools.ietf.org/html/rfc3629

Raw Manifest

{
  "name": "JPEG XL Viewer",
  "icons": {
    "16": "img/icon_16.png",
    "24": "img/icon_24.png",
    "32": "img/icon_32.png",
    "48": "img/icon_48.png",
    "64": "img/icon_64.png",
    "128": "img/icon_128.png",
    "256": "img/icon_256.png"
  },
  "action": {
    "default_icon": {
      "19": "img/icon_19.png",
      "38": "img/icon_38.png"
    },
    "default_title": "JPEG XL Viewer"
  },
  "version": "0.3.0",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Displays JPEG XL images.",
  "permissions": [
    "declarativeNetRequest"
  ],
  "version_name": "0.3.0",
  "content_scripts": [
    {
      "js": [
        "main.js"
      ],
      "run_at": "document_start",
      "matches": [
        "<all_urls>"
      ]
    }
  ],
  "host_permissions": [
    "<all_urls>"
  ],
  "manifest_version": 3,
  "minimum_chrome_version": "88",
  "content_security_policy": {
    "extension_pages": "object-src 'self'; script-src 'self' 'wasm-unsafe-eval'"
  },
  "declarative_net_request": {
    "rule_resources": [
      {
        "id": "rules",
        "path": "rules.json",
        "enabled": true
      }
    ]
  },
  "web_accessible_resources": [
    {
      "matches": [
        "<all_urls>"
      ],
      "resources": [
        "worker.js",
        "libjxl.js",
        "libjxl.wasm"
      ]
    }
  ],
  "browser_specific_settings": {
    "gecko": {
      "id": "jxl@twdb.moe"
    }
  }
}

by ✦ Astarte

JPEG XL Viewer

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Content Security Policy:

Embedded URLs (15 total):

Raw Manifest

Detections

Manifest Findings