Jira Product Discovery
Version 1.1.6 View in Chrome Web Store
Extension Details
Context-Aware Verdict
The extension appears to be legitimate Atlassian software for Jira Product Discovery with 10,000 users and a 3.9-star rating. However, the lack of clear developer information and company verification raises some concerns about authenticity verification.
The extension requests extremely broad permissions that seem excessive for a typical Jira integration tool. The <all_urls> host permission allows access to every website you visit, not just Atlassian domains. The webRequest permission enables intercepting and modifying all web traffic, while cookies permission allows reading/writing sensitive authentication data across all sites. The combination of these permissions creates significant privacy and security risks, as the extension could theoretically monitor all browsing activity, steal login credentials, or modify web content on any website.
The unlimitedStorage permission, while less critical, allows indefinite data collection without storage limits.
Install this extension only if you absolutely need Jira Product Discovery functionality and trust Atlassian completely. Consider running it in a separate Chrome profile dedicated to work activities to isolate potential risks from personal browsing. Regularly review what data the extension might be collecting and consider uninstalling when not actively needed. Verify the extension's authenticity through official Atlassian channels before installation, as the broad permissions make this a high-value target for malicious impersonation.
Findings
Security Analysis Details
Required Permissions:
- storage
- webRequest
- contextMenus
- activeTab
- cookies
- scripting
- declarativeNetRequest
- declarativeNetRequestWithHostAccess
- unlimitedStorage
Host Permissions:
- https://*.atlassian.net/*
- https://*.jira-dev.com/*
- https://*.jira.com/*
- <all_urls>
Embedded URLs (132 total):
| https://reactjs.org/docs/error-decoder.html?invariant= | https://bugs.chromium.org/p/v8/issues/detail?id=4118 | |
| https://bugs.chromium.org/p/v8/issues/detail?id=3056 | http://stackoverflow.com/questions/105034/how-to-create-a-guid-uuid-in-javascript/2117523#2117523 | |
| https://github.com/getsentry/sentry-javascript/issues/2043 | https://github.com/ftlabs/js-abbreviate/blob/fa709e5f139e7770a71827b1893f22418097fbda/index.js#L95-L106 | |
| https://stackoverflow.com/q/181348 | https://en.wikipedia.org/wiki/ISO_week_date#Calculating_a_date_given_the_year.2C_week_number_and_weekday | |
| http://momentjs.com/guides/#/warnings/define-locale/ | https://github.com/moment/moment/issues/1423 | |
| http://momentjs.com/guides/#/warnings/js-date/ | http://momentjs.com/guides/#/warnings/min-max/ | |
| https://github.com/moment/moment/pull/1871 | http://momentjs.com/guides/#/warnings/add-inverted-param/ | |
| https://nodejs.org/dist/latest/docs/api/util.html#util_custom_inspect_function_on_objects | http://momentjs.com/guides/#/warnings/zone/ | |
| http://momentjs.com/guides/#/warnings/dst-shifted/ | https://github.com/dordille/moment-isoduration/blob/master/moment.isoduration.js | |
| https://developer.mozilla.org/en-US/docs/Web/API/WindowEventHandlers/onunhandledrejection | https://developer.mozilla.org/en-US/docs/Web/API/PromiseRejectionEvent | |
| https://caniuse.com/#feat=referrer-policy | https://github.com/getsentry/raven-js/issues/1233 | |
| https://developer.mozilla.org/en-US/docs/Web/API/DOMError | https://developer.mozilla.org/en-US/docs/Web/API/DOMException | |
| https://github.com/getsentry/sentry-javascript/issues/1168 | https://github.com/getsentry/raven-js/issues/838 | |
| https://github.com/getsentry/sentry-javascript/issues/1949 | https://docs.sentry.io/clientdev/interfaces/http/?platform=javascript | |
| https://start.stg.atlassian.com | https://start.atlassian.com | |
| https://e1fe8a61efdf48aaa018e138e0083b1b@api.atlassian.com/sentry/1188 | http://www.w3.org/1999/xlink | |
| http://www.w3.org/XML/1998/namespace | http://www.w3.org/1999/xhtml | |
| http://www.w3.org/2000/svg | http://www.w3.org/1998/Math/MathML | |
| https://reactjs.org/link/react-polyfills | http://fb.me/use-check-prop-types | |
| https://prodregistryv2.org/v1 | https://featureassets.org/v1 | |
| https://api.statsigcdn.com/v1 | https://statsigapi.net/v1/sdk_exception | |
| https://github.com/statsig-io/private-js-client-monorepo/pull/340 | https://cloudflare-dns.com/dns-query | |
| https://docs.statsig.com/client/javascript-sdk/#typed-getters | https://atlaskit.atlassian.com/packages/design-system/icon | |
| https://atlaskit.atlassian.com/packages/design-system/icon/docs/custom-icons | https://docs.statsig.com/client/javascript-sdk/#manual-exposures- | |
| https://xp.atlassian.com/v1/rgstr | https://github.com/facebook/regenerator/blob/main/packages/runtime/runtime.js#L736= | |
| https://github.com/statsig-io/js-lite/blob/main/src/StatsigStore.ts | https://github.com/statsig-io/js-lite/blob/main/src/StatsigSDKOptions.ts | |
| https://api.atlassian-us-gov-mod.com/flags | https://api.stg.atlassian-us-gov-mod.com/flags | |
| https://api.dev.atlassian.com/flags | https://api.stg.atlassian.com/flags | |
| https://api.atlassian.com/flags | https://atlassian-statsig-proxy-archetype.atl-paas.%s.atl-ic.net | |
| https://github.com/statsig-io/js-client-monorepo/blob/main/packages/js-client/src/StatsigEvaluationsDataAdapter.ts | http://ecma-international.org/ecma-262/7.0/#sec-samevaluezero | |
| http://www.ecma-international.org/ecma-262/7.0/#sec-regexp.prototype.tostring | https://bugs.webkit.org/show_bug.cgi?id=156034 | |
| https://github.com/jashkenas/underscore/pull/1247 | https://bugs.chromium.org/p/v8/issues/detail?id=90 | |
| https://en.wikipedia.org/wiki/Exponentiation_by_squaring | https://mdn.io/clearTimeout | |
| http://ecma-international.org/ecma-262/7.0/#sec-ecmascript-function-objects-call-thisargument-argumentslist | https://es5.github.io/#x13.2.2 | |
| https://mdn.io/round#Examples | https://bugs.chromium.org/p/v8/issues/detail?id=2070 | |
| https://mdn.io/Array/reverse | https://css-tricks.com/debouncing-throttling-explained-examples/ | |
| http://ecma-international.org/ecma-262/7.0/#sec-properties-of-the-map-prototype-object | https://mdn.io/Number/isInteger | |
| http://ecma-international.org/ecma-262/7.0/#sec-tolength | http://www.ecma-international.org/ecma-262/7.0/#sec-ecmascript-language-types | |
| http://www.ecma-international.org/ecma-262/7.0/#sec-tointeger | https://mdn.io/Object/assign | |
| http://ecma-international.org/ecma-262/7.0/#sec-object.keys | https://en.wikipedia.org/wiki/CamelCase |
Raw Manifest
{ "name": "Jira Product Discovery", "icons": { "16": "icon-production16.e9556cf1.png", "48": "icon-production48.62b47d09.png", "128": "icon-production128.913ec90d.png" }, "action": { "default_popup": "popup.92444903.html" }, "version": "1.1.6", "background": { "service_worker": "background.6dcad0e7.js" }, "short_name": "Jira Product Discovery", "update_url": "https://clients2.google.com/service/update2/crx", "description": "Jira Product Discovery Chrome Extension", "permissions": [ "storage", "webRequest", "contextMenus", "activeTab", "cookies", "scripting", "declarativeNetRequest", "declarativeNetRequestWithHostAccess", "unlimitedStorage" ], "host_permissions": [ "https://*.atlassian.net/*", "https://*.jira-dev.com/*", "https://*.jira.com/*", "<all_urls>" ], "manifest_version": 3, "web_accessible_resources": [ { "matches": [ "<all_urls>" ], "resources": [ "content-script.js", "content.css", "atlaskit.css", "atlaskit-css-reset.css", "splash@2x.png", "get_started.html" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.