Starting analysis...
Extension Details
Context-Aware Verdict
The extension has a relatively small user base of 2,000 users and a moderate rating of 3.6 stars from 114 reviews, which suggests mixed user experiences. The lack of visible author and developer information raises transparency concerns. The extension's purpose as a volume controller appears legitimate, but the implementation raises security questions.
The most significant concern is the combination of broad content script injection across all websites (http, https, and file protocols) with tabs permission. For a volume controller, this level of access seems excessive and unnecessary. The extension can potentially read sensitive information from any website you visit, modify page content, and access tab information. The tabs permission allows manipulation of browser tabs beyond what a simple volume control tool should require. Using the older Manifest V2 also means fewer built-in security protections compared to V3.
Consider running this extension in a separate Chrome profile to isolate it from your main browsing activities. Look for alternative volume control extensions that use Manifest V3 and request fewer permissions. If you must use this extension, regularly review your browsing data and be cautious when visiting sensitive websites like banking or email services. Monitor the extension's behavior and remove it immediately if you notice any suspicious activity or unexpected website modifications.
Findings
Security Analysis Details
Required Permissions:
- activeTab
- storage
- tabs
Embedded URLs (17 total):
| http://www.w3.org/2000/svg | http://www.w3.org/1999/xlink | |
| http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd | https://clients2.google.com/service/update2/crx | |
| http://www.voot.com/ | https://en.wikipedia.org/wiki/Same-origin_policy | |
| http://rajugt.github.io/ | http://www.freepik.com | |
| http://www.flaticon.com | http://creativecommons.org/licenses/by/3.0/ | |
| http://polymer.github.io/LICENSE.txt | http://polymer.github.io/AUTHORS.txt | |
| http://polymer.github.io/CONTRIBUTORS.txt | http://polymer.github.io/PATENTS.txt | |
| http://jsbin.com/temexa/4 | https://fonts.googleapis.com/css?family=Roboto:400 | |
| https://fonts.googleapis.com/css?family=Roboto+Mono:400 |
Raw Manifest
{ "name": "Volume Controller", "icons": { "16": "icons/icon16.png", "48": "icons/icon48.png", "128": "icons/icon128.png" }, "version": "0.4.1", "background": { "scripts": [ "eventPage.js" ], "persistent": false }, "short_name": "volumeController", "update_url": "https://clients2.google.com/service/update2/crx", "description": "HTML5 video and audio volume controller", "permissions": [ "activeTab", "storage", "tabs" ], "options_page": "options.html", "browser_action": { "default_icon": "icons/icon48.png", "default_popup": "popup.html", "default_title": "" }, "content_scripts": [ { "js": [ "inject.js" ], "matches": [ "http://*/*", "https://*/*", "file:///*" ], "all_frames": true } ], "manifest_version": 2 }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.