[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Fullstory Companion

Version 5.4 View in Chrome Web Store

Last scanned: about 4 hours ago

Extension Details

Rating: 5.0 ★ (3 ratings)

Users: 656

Context-Aware Verdict

MEDIUM

Overall Risk

Trust Factors:

The extension has a perfect 5.0 rating but with only 3 reviews and 656 users, indicating limited adoption and feedback. The name "Fullstory Companion" suggests it's related to Fullstory, a legitimate session recording and analytics platform. However, the lack of clear developer information and minimal user base raises some trust concerns.

Concerns:

The primary concern is the broad host permissions (https://*/*) combined with content script injection across all HTTP and HTTPS sites. This creates an unnecessarily wide attack surface for what appears to be a companion tool. The declarativeNetRequest permission allows network request modification, which could potentially be misused. The combination of these permissions enables the extension to monitor, modify, or intercept data across virtually all websites you visit.

The activeTab permission alone would be more appropriate for most companion tools, making the broad permissions seem excessive for the stated purpose.

Recommendations:

Consider running this extension in a separate Chrome profile to isolate its access from your primary browsing activities. Before installation, verify this is the official Fullstory companion extension through Fullstory's website or support channels. Monitor the extension's behavior and consider removing it if you notice unusual network activity. Given the broad permissions, only install if you specifically need Fullstory integration and trust the source completely.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

MEDIUM

Medium-Risk Permission: activeTab

This extension has the activeTab permission. Can access the active tab when clicking the extension icon.

Security Analysis Details

Required Permissions:

activeTab
declarativeNetRequest
sidePanel

Host Permissions:

https://*/*

Embedded URLs (749 total):

https://clients2.google.com/service/update2/crx	https://www.robotstxt.org/robotstxt.html
https://www.fullstory.com/legal/terms-and-conditions/	http://www.w3.org/2000/svg
https://fs-currenturl.invalid	https://fs-excluded.invalid
http://www.w3.org/1999/xlink	http://www.w3.org/XML/1998/namespace
http://www.w3.org/2000/xmlns/	https://data-url.fs.invalid/
https://fs-obfuscated.invalid	https://github.com/primer/github-syntax-light
https://feross.org	https://github.com/amdjs/amdjs-api/wiki/AMD#defineamd-property-
https://beautifier.io/	http://www.w3.org/TR/CSS21/syndata.html#tokenization
http://www.w3.org/TR/css3-syntax/	https://developer.mozilla.org/en-US/docs/Web/CSS/At-rule
https://www.w3.org/TR/html5/syntax.html#optional-tags	https://developer.mozilla.org/en-US/docs/Web/HTML/Block-level_elements
https://developer.mozilla.org/en-US/docs/Web/HTML/Inline_elements	https://www.w3.org/TR/html5/dom.html#phrasing-content
https://www.w3.org/html/wg/drafts/html/master/syntax.html#void-elements	https://www.computerhope.com/jargon/h/html-basefont-tag.htm
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/isindex	https://en.wikipedia.org/wiki/Conditional_comment
http://www.ecma-international.org/ecma-262/5.1/#sec-7.9.1	http://esprima.org
http://marijnhaverbeke.nl/git/acorn	https://github.com/marijnh/acorn.git
https://lodash.com/	https://openjsf.org/
https://lodash.com/license	http://underscorejs.org/LICENSE
https://npms.io/search?q=ponyfill.	http://ecma-international.org/ecma-262/7.0/#sec-patterns
http://ecma-international.org/ecma-262/7.0/#sec-template-literal-lexical-components	https://en.wikipedia.org/wiki/Combining_Diacritical_Marks
https://en.wikipedia.org/wiki/Combining_Diacritical_Marks_for_Symbols	https://mathiasbynens.be/notes/javascript-unicode
http://eev.ee/blog/2015/09/12/dark-corners-of-unicode/	http://ecma-international.org/ecma-262/7.0/#sec-object.prototype.tostring
http://ecma-international.org/ecma-262/7.0/#sec-samevaluezero	https://bugs.webkit.org/show_bug.cgi?id=156034
https://en.wikipedia.org/wiki/Exponentiation_by_squaring	https://mdn.io/clearTimeout
https://github.com/jashkenas/underscore/pull/1247	https://bugs.chromium.org/p/v8/issues/detail?id=90
http://ecma-international.org/ecma-262/7.0/#sec-ecmascript-function-objects-call-thisargument-argumentslist	https://es5.github.io/#x13.2.2
https://mdn.io/round#Examples	http://www.ecma-international.org/ecma-262/7.0/#sec-regexp.prototype.tostring
http://ecma-international.org/ecma-262/7.0/#sec-object.keys	https://bugs.chromium.org/p/v8/issues/detail?id=2070
https://mdn.io/setTimeout	https://mdn.io/Array/reverse
https://mdn.io/Array/slice	https://en.wikipedia.org/wiki/Symmetric_difference
https://mdn.io/iteration_protocols#iterator	https://en.wikipedia.org/wiki/Empty_set
https://en.wikipedia.org/wiki/Vacuous_truth	https://en.wikipedia.org/wiki/Fisher-Yates_shuffle
http://peter.michaux.ca/articles/lazy-function-definition-pattern	https://css-tricks.com/debouncing-throttling-explained-examples/
http://ecma-international.org/ecma-262/7.0/#sec-properties-of-the-map-prototype-object	https://mdn.io/rest_parameters
http://www.ecma-international.org/ecma-262/7.0/#sec-function.prototype.apply	https://mdn.io/spread_operator
https://mdn.io/Structured_clone_algorithm	https://mdn.io/Number/isFinite
https://mdn.io/Number/isInteger	http://ecma-international.org/ecma-262/7.0/#sec-tolength
http://www.ecma-international.org/ecma-262/7.0/#sec-ecmascript-language-types	https://mdn.io/Number/isNaN
https://mdn.io/isNaN	https://www.npmjs.com/package/babel-polyfill
https://mdn.io/Number/isSafeInteger	http://www.ecma-international.org/ecma-262/7.0/#sec-tointeger
https://mdn.io/Object/assign	https://en.wikipedia.org/wiki/CamelCase

Page 1 of 10

Raw Manifest

{
  "name": "Fullstory Companion",
  "icons": {
    "16": "newFS-16-black.png",
    "32": "newFS-32-black.png",
    "48": "newFS-48-black.png",
    "128": "newFS-128-black.png"
  },
  "action": {
    "default_title": "Click to open panel"
  },
  "version": "5.4",
  "background": {
    "service_worker": "static/js/worker.js"
  },
  "side_panel": {
    "default_path": "index.html",
    "default_title": "Fullstory Companion"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Configure and optimize behavioral data capture with the Fullstory Companion extension.",
  "permissions": [
    "activeTab",
    "declarativeNetRequest",
    "sidePanel"
  ],
  "content_scripts": [
    {
      "js": [
        "./static/js/content.js"
      ],
      "run_at": "document_start",
      "matches": [
        "http://*/*",
        "https://*/*"
      ]
    },
    {
      "js": [
        "./static/js/contentIFrame.js"
      ],
      "run_at": "document_start",
      "matches": [
        "http://*/*",
        "https://*/*"
      ],
      "all_frames": true
    }
  ],
  "host_permissions": [
    "https://*/*"
  ],
  "manifest_version": 3,
  "web_accessible_resources": [
    {
      "matches": [
        "http://*/*",
        "https://*/*"
      ],
      "resources": [
        "static/js/injected.js",
        "static/js/injectedIFrame.js",
        "index.html",
        "fs.js",
        "includeFS.js",
        "dlcv4.js"
      ]
    }
  ]
}

by ✦ Astarte