[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Javascript Object Browser

Version 1.2.1 View in Chrome Web Store

Last scanned: 1 day ago | force re-scan

Extension Details

Developer: duck-producktions.blogspot.com

Rating: 3.9 ★ (27 ratings)

Users: 3,000

Context-Aware Verdict

CRITICAL

Overall Risk

Trust Factors:

The extension has a relatively small user base of 3,000 users and a moderate rating of 3.9 stars from only 27 reviews, indicating limited community validation. The developer is identified only by a Blogspot URL rather than a verified company or established developer profile, which raises questions about accountability and legitimacy. The lack of a clear description makes it difficult to understand the extension's intended purpose and justify its extensive permissions.

Concerns:

This extension exhibits extremely concerning permission overreach for what appears to be a JavaScript debugging tool. It requests virtually every available Chrome permission, including highly sensitive ones like debugger access, proxy control, privacy settings modification, and the ability to manage other extensions. The combination of webRequest and webRequestBlocking permissions allows complete interception and modification of all web traffic. The Content Security Policy permits unsafe JavaScript evaluation, creating additional attack vectors. The use of Manifest V2 provides fewer security protections than the current standard.

Recommendations:

Do not install this extension under any circumstances. If you absolutely must use it for development purposes, create a completely isolated Chrome profile with no personal data, disable sync, and use it only on non-sensitive websites. Consider alternative JavaScript debugging tools with more reasonable permission requests. The extensive permissions combined with unclear purpose and limited developer accountability make this extension unsuitable for general use.

Findings

HIGH

Dangerous Permission Combination: webRequest + webRequestBlocking

This extension can intercept, modify, and block web requests in real-time. This combination could be used to modify sensitive web traffic or steal data.

HIGH

High-Risk Permission: bookmarks

This extension has the bookmarks permission. Can access and modify bookmarks. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: clipboardRead

This extension has the clipboardRead permission. Can read clipboard content. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: clipboardWrite

This extension has the clipboardWrite permission. Can modify clipboard content. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: cookies

This extension has the cookies permission. Can access and modify browser cookies. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: debugger

This extension has the debugger permission. Can debug and manipulate other extensions/apps. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: history

This extension has the history permission. Can access your browsing history. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: management

This extension has the management permission. Can manage other extensions. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: privacy

This extension has the privacy permission. Can modify privacy settings. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: proxy

This extension has the proxy permission. Can control proxy settings. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: webNavigation

This extension has the webNavigation permission. Can track your web navigation. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: webRequest

This extension has the webRequest permission. Can intercept and modify web requests. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: webRequestBlocking

This extension has the webRequestBlocking permission. Can block and modify web requests in real-time. This could potentially be used maliciously to compromise security or privacy.

HIGH

Unsafe JavaScript Evaluation

This extension's Content Security Policy allows 'unsafe-eval', which permits dynamic JavaScript code execution using eval() and similar functions. This is a significant security risk as it could allow execution of malicious code.

MEDIUM

Medium-Risk Permission: activeTab

This extension has the activeTab permission. Can access the active tab when clicking the extension icon.

MEDIUM

Medium-Risk Permission: contextMenus

This extension has the contextMenus permission. Can add items to the context menu.

MEDIUM

Medium-Risk Permission: geolocation

This extension has the geolocation permission. Can access your location.

MEDIUM

Medium-Risk Permission: notifications

This extension has the notifications permission. Can show notifications.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

MEDIUM

Medium-Risk Permission: unlimitedStorage

This extension has the unlimitedStorage permission. Can store unlimited data locally.

MEDIUM

Older Manifest Version

This extension uses Manifest Version 2, which has fewer security restrictions than Manifest V3. Consider using extensions that have upgraded to V3.

Raw Manifest

{
  "app": {
    "launch": {
      "container": "tab",
      "local_path": "index.html",
      "manifest_version": 2
    }
  },
  "name": "Javascript Object Browser",
  "icons": {
    "16": "icon_16.png",
    "128": "icon_128.png"
  },
  "version": "1.2.1",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Browse through the objects in the default Javascript library and any local or online libraries",
  "permissions": [
    "*://*/*",
    "activeTab",
    "alarms",
    "background",
    "bookmarks",
    "browsingData",
    "chrome://favicon/",
    "clipboardRead",
    "clipboardWrite",
    "contentSettings",
    "contextMenus",
    "cookies",
    "debugger",
    "fileBrowserHandler",
    "fontSettings",
    "geolocation",
    "history",
    "idle",
    "management",
    "nativeMessaging",
    "notifications",
    "pageCapture",
    "power",
    "privacy",
    "proxy",
    "storage",
    "system.cpu",
    "system.display",
    "system.memory",
    "system.storage",
    "tabCapture",
    "tabs",
    "topSites",
    "tts",
    "ttsEngine",
    "unlimitedStorage",
    "webNavigation",
    "webRequest",
    "webRequestBlocking"
  ],
  "permissions_app": [
    "declarativeContent",
    "desktopCapture",
    "dns",
    "downloads",
    "gcm",
    "identity",
    "pushMessaging",
    "processes"
  ],
  "permissions_dev": [
    "infobars",
    "sessions",
    "signedInDevices",
    "ledger",
    "enterprise.platformKeys",
    "location"
  ],
  "manifest_version": 2,
  "content_security_policy": "script-src 'self' 'unsafe-eval'; script-src 'self' 'unsafe-inline'; object-src 'self'"
}

by ✦ Astarte

Javascript Object Browser

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Content Security Policy:

Embedded URLs (2 total):

Raw Manifest

Detections

Manifest Findings