[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Zotero Connector

Version 5.0.200 View in Chrome Web Store

Last scanned: about 1 hour ago

Extension Details

Developer: Corporation For Digital Scholarship

Rating: 4.0 ★ (2.4K ratings)

Users: 8,000,000

Context-Aware Verdict

MEDIUM

Overall Risk

Trust Factors: The Zotero Connector is developed by the Corporation For Digital Scholarship, a reputable non-profit organization behind the well-established academic research tool Zotero. With 8 million users and a 4.0 rating from 2,400+ reviews, this extension has demonstrated widespread adoption in academic and research communities. The extension serves a legitimate purpose as a research tool for collecting and organizing academic sources.

Concerns: While the security analysis flags this as "Critical" risk due to extensive permissions, the context matters significantly. The extension requires broad host permissions and web request interception capabilities because it needs to detect and extract bibliographic information from academic databases, library catalogs, and various websites. The cookies permission is necessary for accessing subscription-based academic resources. However, these powerful permissions could theoretically be misused for data collection or tracking beyond the stated academic purpose.

Recommendations: Given the legitimate academic use case and reputable developer, this extension is generally safe for its intended purpose. However, users concerned about privacy should consider running it in a separate Chrome profile dedicated to research activities. Regularly review what data the extension collects through Zotero's privacy policy. Academic institutions often vet this extension, providing additional confidence. Monitor for any unusual behavior or unexpected data requests, and ensure you're downloading from the official Chrome Web Store.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: cookies

This extension has the cookies permission. Can access and modify browser cookies. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: webNavigation

This extension has the webNavigation permission. Can track your web navigation. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: webRequest

This extension has the webRequest permission. Can intercept and modify web requests. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: contextMenus

This extension has the contextMenus permission. Can add items to the context menu.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Security Analysis Details

Required Permissions:

tabs
contextMenus
cookies
scripting
offscreen
webRequest
declarativeNetRequest
webNavigation
storage

Optional Permissions:

management
clipboardWrite

Host Permissions:

http://*/*
https://*/*

Content Security Policy:

extension_pages: script-src 'self'; object-src 'self'

Embedded URLs (2096 total):

http://digitalscholar.org	https://www.zotero.org
https://www.zotero.org/trademark	http://fsf.org/
http://www.gnu.org/licenses/	https://www.zotero.org/support/kb/moving_documents_between_word_processors
https://www.zotero.org/support/kb/google_docs_citations_unlinked	http://zotero.org
https://groups.google.com/a/chromium.org/g/chromium-extensions/c/lLb3EJzjw0o	https://www.zotero.org/download
https://github.com/zotero/zotero-connectors/issues/156	https://bugs.chromium.org/p/chromium/issues/detail?id=137681
https://bugzilla.mozilla.org/show_bug.cgi?id=1402110	http://mozilla.org/MPL/2.0/.
https://github.com/zotero/zotero-connectors/issues/226	https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/cookies/getAll
https://bugzilla.mozilla.org/show_bug.cgi?id=1315558	https://www.zotero.org/styles/
https://raw.githubusercontent.com/	https://gitee.com/
https://github.com/zotero/zotero-connectors/issues/476	https://www.zotero.org/repo/report
https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Content_scripts#XHR_and_Fetch	https://stackoverflow.com/a/32283373
https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9919149	https://www.zotero.org/support/adding_items_to_zotero
https://www.zotero.org/download/	https://www.zotero.org/support/kb/connector_zotero_unavailable
https://github.com/zotero/zotero-connectors/issues/481	https://issues.chromium.org/issues/338162118
https://issues.chromium.org/issues/458071621	http://www.w3.org/1999/xhtml
https://stackoverflow.com/questions/66618136/persistent-service-worker-in-chrome-extension/66618269#66618269	http://www.w3.org/XML/1998/namespace
http://www.w3.org/2000/xmlns/	http://www.w3.org/1999/xlink
https://chrome.google.com/webstore/detail/singlefile/mpiodijhokgodhhofbcjdecpffjipkle	https://microsoftedge.microsoft.com/addons/detail/singlefile/efnbkdcfmcmnhlkaijjjmhjjgladedno
https://github.com/csstree/csstree/issues	https://mozilla.org/MPL/2.0/.
https://publicsuffix.org/list/public_suffix_list.dat	https://publicsuffix.org/list/.
http://nic.ac/rules.htm	https://en.wikipedia.org/wiki/.ad
https://tdra.gov.ae/en/aeda/ae-policies	https://www.information.aero/index.php?id=66
http://www.nic.af/help.jsp	http://www.nic.ag/prices.htm
http://nic.com.ai/	http://www.ert.gov.al/ert_alb/faq_det.html?Id=31
https://www.amnic.net/policy/en/Policy_EN.pdf	https://en.wikipedia.org/wiki/.ao
http://www.dns.ao/REGISTR.DOC	https://en.wikipedia.org/wiki/.aq
https://nic.ar/es/nic-argentina/normativa	https://en.wikipedia.org/wiki/.arpa
https://en.wikipedia.org/wiki/.as	https://en.wikipedia.org/wiki/.asia
https://en.wikipedia.org/wiki/.at	https://en.wikipedia.org/wiki/.au
http://www.auda.org.au/	http://www.cgdn.org.au/
https://en.wikipedia.org/wiki/.aw	https://en.wikipedia.org/wiki/.ax
https://en.wikipedia.org/wiki/.az	http://nic.ba/users_data/files/pravilnik_o_registraciji.pdf
https://en.wikipedia.org/wiki/.bb	https://en.wikipedia.org/wiki/.bd
https://en.wikipedia.org/wiki/.be	https://en.wikipedia.org/wiki/.bf
https://en.wikipedia.org/wiki/.bg	https://www.register.bg/user/static/rules/en/index.html
https://en.wikipedia.org/wiki/.bh	https://en.wikipedia.org/wiki/.bi
http://whois.nic.bi/	https://en.wikipedia.org/wiki/.biz
https://nic.bj/bj-suffixes.txt	http://www.bermudanic.bm/dnr-text.txt
http://www.bnnic.bn/faqs	https://nic.bo/delegacion2015.php#h-1.10

Page 1 of 27

Raw Manifest

{
  "name": "Zotero Connector",
  "icons": {
    "16": "Icon-16.png",
    "48": "Icon-48.png",
    "96": "Icon-96.png",
    "128": "Icon-128.png"
  },
  "action": {
    "default_icon": {
      "16": "images/treeitem-webpage-gray.png",
      "32": "images/treeitem-webpage-gray@2x.png",
      "48": "images/treeitem-webpage-gray@48px.png"
    },
    "default_title": "Save to Zotero"
  },
  "sandbox": {
    "pages": [
      "offscreen/offscreenSandbox.html"
    ]
  },
  "version": "5.0.200",
  "commands": {
    "_execute_action": {
      "suggested_key": {
        "default": "Ctrl+Shift+S"
      }
    }
  },
  "background": {
    "service_worker": "background-worker.js"
  },
  "options_ui": {
    "page": "preferences/preferences.html",
    "open_in_tab": true
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Save references to Zotero from your web browser",
  "permissions": [
    "tabs",
    "contextMenus",
    "cookies",
    "scripting",
    "offscreen",
    "webRequest",
    "declarativeNetRequest",
    "webNavigation",
    "storage"
  ],
  "homepage_url": "https://www.zotero.org/",
  "default_locale": "en",
  "content_scripts": [
    {
      "js": [
        "browser-polyfill.js",
        "zotero_config.js",
        "zotero.js",
        "translate/promise.js",
        "utilities/date.js",
        "utilities/openurl.js",
        "utilities/xregexp-all.js",
        "utilities/xregexp-unicode-zotero.js",
        "utilities/resource/zoteroTypeSchemaData.js",
        "utilities/utilities.js",
        "utilities/utilities_item.js",
        "utilities.js",
        "http.js",
        "proxy.js",
        "translate/debug.js",
        "utilities/schema.js",
        "translate/rdf/init.js",
        "translate/rdf/uri.js",
        "translate/rdf/term.js",
        "translate/rdf/identity.js",
        "translate/rdf/rdfparser.js",
        "translate/translation/translate.js",
        "translate/translation/translate_item.js",
        "translate/translator.js",
        "translate/utilities_translate.js",
        "inject/http.js",
        "inject/sandboxManager.js",
        "translateWeb.js",
        "itemSaver.js",
        "inject/pageSaving.js",
        "integration/connectorIntegration.js",
        "cachedTypes.js",
        "schema.js",
        "messages.js",
        "messaging_inject.js",
        "inject/progressWindow_inject.js",
        "inject/modalPrompt_inject.js",
        "messagingGeneric.js",
        "i18n.js",
        "singlefile.js",
        "api.js",
        "inject/virtualOffscreenTranslate.js",
        "inject/inject.js"
      ],
      "run_at": "document_start",
      "matches": [
        "http://*/*",
        "https://*/*"
      ]
    },
    {
      "js": [
        "zotero-google-docs-integration/kixAddZoteroMenu.js"
      ],
      "run_at": "document_start",
      "matches": [
        "https://docs.google.com/document/*"
      ]
    },
    {
      "js": [
        "zotero-google-docs-integration/googleDocs.js",
        "zotero-google-docs-integration/client.js",
        "zotero-google-docs-integration/clientAppsScript.js",
        "zotero-google-docs-integration/document.js"
      ],
      "run_at": "document_end",
      "matches": [
        "https://docs.google.com/document/*"
      ]
    }
  ],
  "host_permissions": [
    "http://*/*",
    "https://*/*"
  ],
  "manifest_version": 3,
  "optional_permissions": [
    "management",
    "clipboardWrite"
  ],
  "minimum_chrome_version": "88",
  "content_security_policy": {
    "extension_pages": "script-src 'self'; object-src 'self'"
  },
  "declarative_net_request": {
    "rule_resources": [
      {
        "id": "styleIntercept",
        "path": "styleInterceptRules.json",
        "enabled": true
      }
    ]
  },
  "web_accessible_resources": [
    {
      "matches": [
        "http://*/*",
        "https://*/*"
      ],
      "resources": [
        "images/*",
        "progressWindow/progressWindow.html",
        "modalPrompt/modalPrompt.html",
        "confirm/confirm.html",
        "test/data/journalArticle-single.html",
        "browserAttachmentMonitor/browserAttachmentMonitor.html",
        "chromeMessageIframe/messageIframe.html",
        "lib/SingleFile/single-file-hooks-frames.js",
        "inject/pageSaving.js",
        "zoteroFrame.js",
        "translateWeb.js",
        "itemSaver.js"
      ]
    }
  ]
}

by ✦ Astarte

Zotero Connector

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Optional Permissions:

Host Permissions:

Content Security Policy:

Embedded URLs (2096 total):

Raw Manifest

Detections

Manifest Findings