Extension Details
Context-Aware Verdict
The extension has a perfect 5.0 rating but with only 1 review, making this rating statistically insignificant. With 10,000 users, it has moderate adoption but lacks transparency regarding the developer identity and company information. The absence of developer details raises questions about accountability and support.
The primary concern is the broad content script injection capability across all websites (*://*/*), which is excessive for most legitimate use cases. This permission allows the extension to access and modify content on every website you visit, potentially exposing sensitive information like passwords, personal data, and financial details. The storage permission, while common, combined with universal site access creates additional privacy risks as it can persistently store data collected from any website.
The lack of specific host permissions suggests the extension may not have a focused purpose, which is unusual for legitimate tools. The minimal security findings indicate basic functionality but the broad access remains problematic.
Consider running this extension in a separate Chrome profile dedicated to non-sensitive browsing. Avoid using it while accessing banking, email, or other sensitive websites. Review what specific functionality this extension provides and determine if the broad website access is truly necessary for its intended purpose. If possible, look for alternative extensions with more restrictive permissions that accomplish the same task.
Findings
Security Analysis Details
Required Permissions:
- storage
Embedded URLs (15 total):
| https://nmf3ldhlpg.execute-api.us-east-1.amazonaws.com/default/ | https://summaries-api.navina.ai/ | |
| https://staging.navina.ai/ | https://app.navina.ai/ | |
| https://ecwprodcefqhc.s4ch.net | https://ecw-metro.s4ch.net | |
| https://p2e.navina.ai/ | http://www.w3.org/2000/svg | |
| https://addon-api.navina.ai/api_gateway-emr_logs-save_log_to_db | http://schemas.xmlsoap.org/soap/envelope/ | |
| http://schemas.xmlsoap.org/soap/encoding/ | http://www.w3.org/1999/XMLSchema | |
| http://www.w3.org/1999/XMLSchema-instance | https://addon-api.navina.ai/ | |
| https://clients2.google.com/service/update2/crx |
Raw Manifest
{ "name": "Navina Addon", "icons": { "16": "icon.png", "48": "icon.png", "128": "icon.png" }, "version": "6.0.1", "background": { "service_worker": "js/background.js" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "The Navina extension adds integration between the Navina system and your EMR.", "permissions": [ "storage" ], "content_scripts": [ { "js": [ "js/content_script.js" ], "run_at": "document_end", "matches": [ "*://*/*" ] } ], "manifest_version": 3, "web_accessible_resources": [ { "matches": [ "<all_urls>" ], "resources": [ "js/injected_script_ecw.js", "css/injected_style_ecw.css", "font/*.woff2", "iframe.html", "sso-iframe.html", "post-visit-popup-iframe.html" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.