Extension Details
Context-Aware Verdict
The extension has a reasonable user base of 7,000 downloads with a solid 4.2-star rating from 28 reviews, indicating generally positive user experiences. As a simple game extension (Minesweeper), it aligns with expectations for minimal system access requirements. The Content Security Policy shows some security awareness by restricting script sources and allowing only Google Analytics for tracking.
The primary concern is the use of Manifest Version 2, which lacks the enhanced security protections of Manifest V3. This older framework provides fewer restrictions on extension behavior and data access. The inclusion of Google Analytics tracking in a simple game raises minor privacy considerations, though this is relatively common practice. The missing information about the developer and last update date makes it difficult to assess ongoing maintenance and support.
This extension appears safe for general use given its simple game functionality and lack of sensitive permissions. However, consider looking for alternative Minesweeper extensions that have upgraded to Manifest V3 for better security. If you choose to keep this extension, monitor for updates that might migrate to the newer manifest version. The risk is primarily theoretical rather than immediate, making it suitable for most users who want a simple Minesweeper game without significant security concerns.
Findings
Security Analysis Details
Content Security Policy:
- script-src 'self' https://ssl.google-analytics.com; object-src 'self'
Embedded URLs (955 total):
| https://ssl.google-analytics.com/ga.js | https://clients2.google.com/service/update2/crx | |
| https://ssl.google-analytics.com | https://registry.npmjs.org/accepts/-/accepts-1.3.5.tgz | |
| https://github.com/jshttp/accepts/issues | http://jongleberry.com | |
| https://github.com/jshttp/accepts#readme | https://github.com/jshttp/accepts.git | |
| https://www.npmjs.com/package/negotiator | https://www.npmjs.com/package/koa | |
| https://nodejs.org/en/ | https://www.npmjs.com/ | |
| https://docs.npmjs.com/getting-started/installing-npm-packages-locally | https://img.shields.io/npm/v/accepts.svg | |
| https://npmjs.org/package/accepts | https://img.shields.io/node/v/accepts.svg | |
| https://nodejs.org/en/download/ | https://img.shields.io/travis/jshttp/accepts/master.svg | |
| https://travis-ci.org/jshttp/accepts | https://img.shields.io/coveralls/jshttp/accepts/master.svg | |
| https://coveralls.io/r/jshttp/accepts | https://img.shields.io/npm/dm/accepts.svg | |
| https://registry.npmjs.org/array-flatten/-/array-flatten-1.1.1.tgz | http://blakeembrey.me | |
| https://github.com/blakeembrey/array-flatten/issues | https://github.com/blakeembrey/array-flatten | |
| https://img.shields.io/npm/v/array-flatten.svg?style=flat | https://npmjs.org/package/array-flatten | |
| https://img.shields.io/npm/dm/array-flatten.svg?style=flat | https://img.shields.io/travis/blakeembrey/array-flatten.svg?style=flat | |
| https://travis-ci.org/blakeembrey/array-flatten | https://img.shields.io/coveralls/blakeembrey/array-flatten.svg?style=flat | |
| https://coveralls.io/r/blakeembrey/array-flatten?branch=master | https://registry.npmjs.org/body-parser/-/body-parser-1.18.3.tgz | |
| https://github.com/expressjs/body-parser/issues | https://github.com/expressjs/body-parser#readme | |
| https://github.com/expressjs/body-parser.git | https://nodejs.org/en/docs/guides/anatomy-of-an-http-transaction/ | |
| https://www.npmjs.org/package/busboy#readme | https://www.npmjs.org/package/connect-busboy#readme | |
| https://www.npmjs.org/package/multiparty#readme | https://www.npmjs.org/package/connect-multiparty#readme | |
| https://www.npmjs.org/package/formidable#readme | https://www.npmjs.org/package/multer#readme | |
| https://www.npmjs.org/package/body#readme | https://www.npmjs.org/package/co-body#readme | |
| https://www.npmjs.com/package/bytes | https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/parse#Example.3A_Using_the_reviver_parameter | |
| https://www.npmjs.org/package/type-is#readme | https://www.npmjs.org/package/qs#readme | |
| https://img.shields.io/npm/v/body-parser.svg | https://npmjs.org/package/body-parser | |
| https://img.shields.io/travis/expressjs/body-parser/master.svg | https://travis-ci.org/expressjs/body-parser | |
| https://img.shields.io/coveralls/expressjs/body-parser/master.svg | https://coveralls.io/r/expressjs/body-parser?branch=master | |
| https://img.shields.io/npm/dm/body-parser.svg | https://registry.npmjs.org/bytes/-/bytes-3.0.0.tgz | |
| http://tjholowaychuk.com | https://github.com/visionmedia/bytes.js/issues | |
| https://github.com/visionmedia/bytes.js#readme | https://github.com/visionmedia/bytes.js.git | |
| https://img.shields.io/npm/dm/bytes.svg | https://npmjs.org/package/bytes | |
| https://img.shields.io/npm/v/bytes.svg | https://img.shields.io/travis/visionmedia/bytes.js/master.svg | |
| https://travis-ci.org/visionmedia/bytes.js | https://img.shields.io/coveralls/visionmedia/bytes.js/master.svg | |
| https://coveralls.io/r/visionmedia/bytes.js?branch=master | https://registry.npmjs.org/content-disposition/-/content-disposition-0.5.2.tgz | |
| https://github.com/jshttp/content-disposition/issues | https://github.com/jshttp/content-disposition#readme | |
| https://github.com/jshttp/content-disposition.git | https://tools.ietf.org/html/rfc2616 | |
| https://tools.ietf.org/html/rfc5987 | https://tools.ietf.org/html/rfc6266 | |
| http://greenbytes.de/tech/tc2231/ | https://img.shields.io/npm/v/content-disposition.svg?style=flat | |
| https://npmjs.org/package/content-disposition | https://img.shields.io/node/v/content-disposition.svg?style=flat |
Raw Manifest
{ "name": "Minesweeper", "version": "1.3.1", "short_name": "Minesweeper", "update_url": "https://clients2.google.com/service/update2/crx", "description": "Let's play some Minesweeper!", "browser_action": { "default_icon": "/img/red_flag_tile.png", "default_popup": "Minesweeper.html" }, "manifest_version": 2, "content_security_policy": "script-src 'self' https://ssl.google-analytics.com; object-src 'self'" }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.