[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Javascript Object Browser

Version 1.2.1 View in Chrome Web Store

Last scanned: 7 months ago | force re-scan

Extension Details

Developer: duck-producktions.blogspot.com

Rating: 3.9 ★ (27 ratings)

Size: 24.7KiB

Last Updated: July 28, 2014

Users: 3,000

Context-Aware Verdict

CRITICAL

Overall Risk

Trust Factors:

- Low number of users (3,000) for an extension that has been available since 2014

- No information provided about the developer or company

- Low rating of 3.9 from only 27 reviews

Concerns:

- Requests an extremely broad range of permissions, many of which are high-risk and unnecessary for the stated functionality of browsing JavaScript objects

- Can read/write clipboard data, access bookmarks/history, manage other extensions, modify privacy settings, and intercept/block web requests

- Allows unsafe JavaScript evaluation, increasing risk of malicious code execution

Recommendations:

- Do not install this extension unless you fully understand the risks and trust the developer

- If you choose to use it, create a separate Chrome profile and only use this extension in that isolated environment

- Consider using alternative extensions from reputable developers that request only the necessary permissions for their stated functionality

- Report this extension to the Chrome Web Store for review due to the excessive permissions and potential security risks

Overall, the combination of critical risk findings, lack of transparency about the developer, and unnecessary high-risk permissions raise significant security concerns. Extreme caution is advised before installing or using this extension.

Findings

HIGH

Dangerous Permission Combination: webRequest + webRequestBlocking

This extension can intercept, modify, and block web requests in real-time. This combination could be used to modify sensitive web traffic or steal data.

HIGH

High-Risk Permission: bookmarks

This extension has the bookmarks permission. Can access and modify bookmarks. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: clipboardRead

This extension has the clipboardRead permission. Can read clipboard content. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: clipboardWrite

This extension has the clipboardWrite permission. Can modify clipboard content. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: cookies

This extension has the cookies permission. Can access and modify browser cookies. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: debugger

This extension has the debugger permission. Can debug and manipulate other extensions/apps. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: history

This extension has the history permission. Can access your browsing history. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: management

This extension has the management permission. Can manage other extensions. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: privacy

This extension has the privacy permission. Can modify privacy settings. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: proxy

This extension has the proxy permission. Can control proxy settings. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: webNavigation

This extension has the webNavigation permission. Can track your web navigation. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: webRequest

This extension has the webRequest permission. Can intercept and modify web requests. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: webRequestBlocking

This extension has the webRequestBlocking permission. Can block and modify web requests in real-time. This could potentially be used maliciously to compromise security or privacy.

HIGH

Unsafe JavaScript Evaluation

This extension's Content Security Policy allows 'unsafe-eval', which permits dynamic JavaScript code execution using eval() and similar functions. This is a significant security risk as it could allow execution of malicious code.

MEDIUM

Medium-Risk Permission: activeTab

This extension has the activeTab permission. Can access the active tab when clicking the extension icon.

MEDIUM

Medium-Risk Permission: contextMenus

This extension has the contextMenus permission. Can add items to the context menu.

MEDIUM

Medium-Risk Permission: geolocation

This extension has the geolocation permission. Can access your location.

MEDIUM

Medium-Risk Permission: notifications

This extension has the notifications permission. Can show notifications.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

MEDIUM

Medium-Risk Permission: unlimitedStorage

This extension has the unlimitedStorage permission. Can store unlimited data locally.

MEDIUM

Older Manifest Version

This extension uses Manifest Version 2, which has fewer security restrictions than Manifest V3. Consider using extensions that have upgraded to V3.

Raw Manifest

{
  "app": {
    "launch": {
      "container": "tab",
      "local_path": "index.html",
      "manifest_version": 2
    }
  },
  "name": "Javascript Object Browser",
  "icons": {
    "16": "icon_16.png",
    "128": "icon_128.png"
  },
  "version": "1.2.1",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Browse through the objects in the default Javascript library and any local or online libraries",
  "permissions": [
    "*://*/*",
    "activeTab",
    "alarms",
    "background",
    "bookmarks",
    "browsingData",
    "chrome://favicon/",
    "clipboardRead",
    "clipboardWrite",
    "contentSettings",
    "contextMenus",
    "cookies",
    "debugger",
    "fileBrowserHandler",
    "fontSettings",
    "geolocation",
    "history",
    "idle",
    "management",
    "nativeMessaging",
    "notifications",
    "pageCapture",
    "power",
    "privacy",
    "proxy",
    "storage",
    "system.cpu",
    "system.display",
    "system.memory",
    "system.storage",
    "tabCapture",
    "tabs",
    "topSites",
    "tts",
    "ttsEngine",
    "unlimitedStorage",
    "webNavigation",
    "webRequest",
    "webRequestBlocking"
  ],
  "permissions_app": [
    "declarativeContent",
    "desktopCapture",
    "dns",
    "downloads",
    "gcm",
    "identity",
    "pushMessaging",
    "processes"
  ],
  "permissions_dev": [
    "infobars",
    "sessions",
    "signedInDevices",
    "ledger",
    "enterprise.platformKeys",
    "location"
  ],
  "manifest_version": 2,
  "content_security_policy": "script-src 'self' 'unsafe-eval'; script-src 'self' 'unsafe-inline'; object-src 'self'"
}

by ✦ Astarte

Javascript Object Browser

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Content Security Policy:

Embedded URLs (2 total):

Raw Manifest

Detections

Manifest Findings