[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Javascript Object Browser

Version 1.2.1 View in Chrome Web Store

Last scanned: 7 days ago | force re-scan

Extension Details

Developer: duck-producktions.blogspot.com

Rating: 3.9 ★ (27 ratings)

Users: 3,000

Context-Aware Verdict

CRITICAL

Overall Risk

Trust Factors:

The extension has a relatively small user base of 3,000 users and a modest rating of 3.9 stars from only 27 reviews, indicating limited community validation. The developer appears to be an individual blogger rather than an established company, which raises questions about ongoing support and security practices. The lack of recent update information and minimal description provided are additional red flags.

Concerns:

This extension exhibits extremely concerning permission overreach for a JavaScript object browser tool. It requests virtually every available Chrome permission, including highly sensitive ones like debugger access, proxy control, privacy settings modification, and the ability to manage other extensions. The combination of webRequest and webRequestBlocking permissions allows complete interception and modification of web traffic. The Content Security Policy permits unsafe JavaScript evaluation, creating additional attack vectors. Most critically, these extensive permissions are completely unnecessary for a JavaScript debugging tool, suggesting potential malicious intent or extremely poor security practices.

Recommendations:

Do not install this extension under any circumstances. If JavaScript object browsing functionality is needed, seek alternatives from reputable developers with appropriate, limited permissions. The permission set suggests this could be malware disguised as a development tool. If you must use debugging tools, consider browser built-in developer tools or well-established extensions from verified developers with transparent permission usage and strong community backing.

Findings

HIGH

Dangerous Permission Combination: webRequest + webRequestBlocking

This extension can intercept, modify, and block web requests in real-time. This combination could be used to modify sensitive web traffic or steal data.

HIGH

High-Risk Permission: bookmarks

This extension has the bookmarks permission. Can access and modify bookmarks. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: clipboardRead

This extension has the clipboardRead permission. Can read clipboard content. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: clipboardWrite

This extension has the clipboardWrite permission. Can modify clipboard content. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: cookies

This extension has the cookies permission. Can access and modify browser cookies. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: debugger

This extension has the debugger permission. Can debug and manipulate other extensions/apps. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: history

This extension has the history permission. Can access your browsing history. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: management

This extension has the management permission. Can manage other extensions. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: privacy

This extension has the privacy permission. Can modify privacy settings. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: proxy

This extension has the proxy permission. Can control proxy settings. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: webNavigation

This extension has the webNavigation permission. Can track your web navigation. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: webRequest

This extension has the webRequest permission. Can intercept and modify web requests. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: webRequestBlocking

This extension has the webRequestBlocking permission. Can block and modify web requests in real-time. This could potentially be used maliciously to compromise security or privacy.

HIGH

Unsafe JavaScript Evaluation

This extension's Content Security Policy allows 'unsafe-eval', which permits dynamic JavaScript code execution using eval() and similar functions. This is a significant security risk as it could allow execution of malicious code.

MEDIUM

Medium-Risk Permission: activeTab

This extension has the activeTab permission. Can access the active tab when clicking the extension icon.

MEDIUM

Medium-Risk Permission: contextMenus

This extension has the contextMenus permission. Can add items to the context menu.

MEDIUM

Medium-Risk Permission: geolocation

This extension has the geolocation permission. Can access your location.

MEDIUM

Medium-Risk Permission: notifications

This extension has the notifications permission. Can show notifications.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

MEDIUM

Medium-Risk Permission: unlimitedStorage

This extension has the unlimitedStorage permission. Can store unlimited data locally.

MEDIUM

Older Manifest Version

This extension uses Manifest Version 2, which has fewer security restrictions than Manifest V3. Consider using extensions that have upgraded to V3.

Raw Manifest

{
  "app": {
    "launch": {
      "container": "tab",
      "local_path": "index.html",
      "manifest_version": 2
    }
  },
  "name": "Javascript Object Browser",
  "icons": {
    "16": "icon_16.png",
    "128": "icon_128.png"
  },
  "version": "1.2.1",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Browse through the objects in the default Javascript library and any local or online libraries",
  "permissions": [
    "*://*/*",
    "activeTab",
    "alarms",
    "background",
    "bookmarks",
    "browsingData",
    "chrome://favicon/",
    "clipboardRead",
    "clipboardWrite",
    "contentSettings",
    "contextMenus",
    "cookies",
    "debugger",
    "fileBrowserHandler",
    "fontSettings",
    "geolocation",
    "history",
    "idle",
    "management",
    "nativeMessaging",
    "notifications",
    "pageCapture",
    "power",
    "privacy",
    "proxy",
    "storage",
    "system.cpu",
    "system.display",
    "system.memory",
    "system.storage",
    "tabCapture",
    "tabs",
    "topSites",
    "tts",
    "ttsEngine",
    "unlimitedStorage",
    "webNavigation",
    "webRequest",
    "webRequestBlocking"
  ],
  "permissions_app": [
    "declarativeContent",
    "desktopCapture",
    "dns",
    "downloads",
    "gcm",
    "identity",
    "pushMessaging",
    "processes"
  ],
  "permissions_dev": [
    "infobars",
    "sessions",
    "signedInDevices",
    "ledger",
    "enterprise.platformKeys",
    "location"
  ],
  "manifest_version": 2,
  "content_security_policy": "script-src 'self' 'unsafe-eval'; script-src 'self' 'unsafe-inline'; object-src 'self'"
}

by ✦ Astarte

Javascript Object Browser

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Content Security Policy:

Embedded URLs (2 total):

Raw Manifest

Detections

Manifest Findings