[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

IE Tab

Version 19.3.5.1 View in Chrome Web Store

Last scanned: about 4 hours ago

Extension Details

Developer: Blackfish Software, LLC

Rating: 4.3 ★ (19K ratings)

Users: 4,000,000

Context-Aware Verdict

CRITICAL

Overall Risk

Trust Factors:

IE Tab has strong trust indicators with 4 million users, a solid 4.3-star rating from 19,000 reviews, and is developed by Blackfish Software, LLC, an established company. The extension serves a legitimate purpose - enabling Internet Explorer compatibility within Chrome for legacy websites and applications that require IE-specific functionality.

Concerns:

The extension's extensive permissions are concerning given its functionality. The combination of webRequest and webRequestBlocking permissions with broad host access creates significant security risks, as it can intercept and modify all web traffic. The ability to inject content scripts into all websites, access cookies across all domains, and use native messaging creates multiple attack vectors. While these permissions may be necessary for IE emulation, they represent substantial privacy and security exposure.

The broad scope of permissions means the extension has unprecedented access to user browsing data, credentials, and web traffic across all websites. The native messaging capability suggests communication with external applications, which could be exploited if compromised.

Recommendations:

Given the critical risk level, run this extension in a dedicated Chrome profile isolated from sensitive browsing activities. Only use it when IE compatibility is absolutely necessary for specific legacy applications. Regularly review the extension's behavior and consider alternatives like running actual Internet Explorer or Edge's IE mode when possible. Monitor for any unusual network activity or performance issues that might indicate misuse of the extensive permissions.

Findings

HIGH

Broad Content Script Injection

This extension can inject scripts into any website. This means it could potentially read sensitive data, modify website content, or steal credentials.

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

Dangerous Permission Combination: webRequest + webRequestBlocking

This extension can intercept, modify, and block web requests in real-time. This combination could be used to modify sensitive web traffic or steal data.

HIGH

High-Risk Permission: cookies

This extension has the cookies permission. Can access and modify browser cookies. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: webRequest

This extension has the webRequest permission. Can intercept and modify web requests. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: webRequestBlocking

This extension has the webRequestBlocking permission. Can block and modify web requests in real-time. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: contextMenus

This extension has the contextMenus permission. Can add items to the context menu.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Security Analysis Details

Required Permissions:

tabs
storage
contextMenus
webRequest
webRequestBlocking
nativeMessaging
cookies
alarms
offscreen
declarativeNetRequestWithHostAccess

Optional Permissions:

downloads

Host Permissions:

<all_urls>

Content Security Policy:

extension_pages: script-src 'self'; object-src 'self'

Embedded URLs (61 total):

http://blog.chromium.org/2013/09/saying-goodbye-to-our-old-friend-npapi.html	https://www.google.com/chrome?platform=win
http://fontawesome.io	http://fontawesome.io/license
http://www.ietab.net/support?from=feedback	http://www.ietab.net/options
http://www.ietab.net/ie-tab-documentation	http://www.ietab.net/pricing
http://www.ietab.net/support?from=startpage	http://www.ietab.net/ie-tab-documentation#auto-urls
http://www.ietab.net/options#autourls	http://www.ietab.net/options#page-top
http://www.ietab.net/ie-tab-documentation?key=1	http://stackoverflow.com/questions/7370943/retrieving-binary-file-content-using-javascript-base64-encode-it-and-reverse-de
https://mail.google.com/mail/u/0/#category/forums/FMfcgzQVxbfvkZcZwdnhBnvCLwpXVzsz	http://www.ietab.net/hostedfirstrun
http://www.ietab.net/thanks-installing-ie-tab	https://lping.ietab.net/logger/pingl?key=
https://www.ietab.net/logger/wslicense?info=	https://www.googleapis.com/oauth2/v1/userinfo?access_token=
https://www.googleapis.com/chromewebstore/v1.1/userlicenses/	https://code.google.com/p/chromium/issues/detail?id=313155
https://code.google.com/p/chromium/issues/detail?id=173640	https://code.google.com/p/chromium/issues/detail?id=432757
https://issues.chromium.org/issues/40171997#comment50	http://www.ietab.net/ie-tab-alternatives
https://groups.google.com/a/chromium.org/g/chromium-extensions/c/XY6u0raKRJQ/m/xHOjNiE5BwAJ	http://www.ietab.net/hostedstartpage?from=chromeurl
http://www.ietab.net/ie-tab-documentation?from=chromeurl	http://mit-license.org
http://127.0.0.1/Myrtille/	http://www.ietab.net/notsupported
https://securetoken.googleapis.com/v1/token?key=	https://hub.ietab.net
https://www.ietab.net	http://www.ietab.net/license
https://msdn.microsoft.com/en-us/library/dd565656	https://msdn.microsoft.com/en-us/library/ee330735
https://clients2.google.com/service/update2/crx	http://www.apache.org/licenses/LICENSE-2.0
https://stijndewitt.com/2014/01/26/enums-in-javascript/	http://stackoverflow.com/questions/5882716/html5-canvas-vs-svg-vs-div
http://www.stucox.com/blog/you-cant-detect-a-touchscreen/	https://github.com/WICG/EventListenerOptions/blob/gh-pages/explainer.md
https://www.ietab.net/enterprise/ietabhelper.exe	https://www.ietab.net/enterprise/ietabhelper.msi
http://www.ietab.net/ie-tab-documentation#local-network-support	https://www.ietab.net/regkey
http://www.ietab.net/regkey	http://www.ietab.net/pricing?fr=buynow
https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.11.2/css/all.min.css	https://fonts.googleapis.com/css?family=Open+Sans:300
http://www.ietab.net	https://chrome.google.com/webstore/detail/ie-tab/hehijbfgiekmjfkfjpbkbammjbdenadd/reviews
https://www.ietab.net/bin/ietab.crashdumps.reg	https://www.ietab.net/grant-more-permissions
http://www.microsoft.com/	https://www.ietab.net/ie-tab-documentation#per-url-compat-mode
http://msdn.microsoft.com/en-us/library/ie/ee330730	http://www.ietab.net/
http://www.google.com

Raw Manifest

{
  "name": "IE Tab",
  "icons": {
    "16": "images/chromeie16.png",
    "32": "images/chromeie32.png",
    "48": "images/chromeie48.png",
    "128": "images/chromeie128.png"
  },
  "action": {
    "default_icon": "images/chromeba.png",
    "default_title": "__MSG_extBrowserActionTooltip__"
  },
  "storage": {
    "managed_schema": "managed_schema.json"
  },
  "version": "19.3.5.1",
  "background": {
    "service_worker": "js/background.js"
  },
  "short_name": "IE Tab",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "__MSG_extDescription__",
  "permissions": [
    "tabs",
    "storage",
    "contextMenus",
    "webRequest",
    "webRequestBlocking",
    "nativeMessaging",
    "cookies",
    "alarms",
    "offscreen",
    "declarativeNetRequestWithHostAccess"
  ],
  "options_page": "options.html",
  "default_locale": "en_US",
  "content_scripts": [
    {
      "js": [
        "js/extapi_cs.js"
      ],
      "run_at": "document_start",
      "matches": [
        "*://*.ietab.net/*"
      ]
    },
    {
      "js": [
        "js/ietabapi_cs.js"
      ],
      "run_at": "document_start",
      "matches": [
        "<all_urls>"
      ]
    }
  ],
  "host_permissions": [
    "<all_urls>"
  ],
  "manifest_version": 3,
  "optional_permissions": [
    "downloads"
  ],
  "externally_connectable": {
    "ids": [
      "*"
    ],
    "matches": [
      "*://*.ietab.net/*"
    ]
  },
  "content_security_policy": {
    "extension_pages": "script-src 'self'; object-src 'self'"
  },
  "web_accessible_resources": [
    {
      "matches": [
        "<all_urls>"
      ],
      "resources": [
        "js/extapi_wp.js",
        "js/ietabapi_wp.js",
        "redir.htm",
        "options.html"
      ]
    }
  ]
}

by ✦ Astarte

IE Tab

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Optional Permissions:

Host Permissions:

Content Security Policy:

Embedded URLs (61 total):

Raw Manifest

Detections

Manifest Findings