[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Whatfix for BRP_SFFinancial

Version 2025.11.18.1906 View in Chrome Web Store

Last scanned: about 8 hours ago

Extension Details

Rating: 4.2 ★

Users: 5,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension has a moderate user base of 5,000 users and a decent rating of 4.2, suggesting some level of user acceptance. However, the lack of visible author and developer information raises transparency concerns. The extension appears to be a specialized tool for BRP's Salesforce Financial system, indicating it's likely an enterprise solution rather than a general consumer extension.

Concerns:

The webNavigation permission is particularly concerning as it allows comprehensive tracking of browsing behavior across all websites, which is excessive for what appears to be a Salesforce-specific tool. The broad host permissions extending beyond just Salesforce domains (including *.whatfix.com/*) create additional attack surfaces. The content scripts target multiple Salesforce environments including sandbox and production systems, which could pose risks if the extension is compromised. The combination of navigation tracking capabilities with access to financial system environments creates significant privacy and security exposure.

Recommendations:

Given the high-risk profile, consider running this extension in a dedicated Chrome profile used exclusively for BRP Salesforce work. Verify with your IT department that this extension is officially sanctioned and regularly audited. Monitor the extension's behavior and disable it when not actively needed for Salesforce tasks. Consider whether the functionality provided justifies the extensive permissions granted, and explore alternative solutions with more limited access requirements.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: webNavigation

This extension has the webNavigation permission. Can track your web navigation. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Security Analysis Details

Required Permissions:

webNavigation
storage
alarms

Host Permissions:

https://*.whatfix.com/*

Content Security Policy:

extension_pages: script-src 'self'; object-src 'self'

Embedded URLs (159 total):

https://github.com/babel/babel/blob/main/packages/babel-helpers/LICENSE	https://github.com/csstree/csstree?tab=readme-ov-file#features
http://opensource.org/licenses/BSD-3-Clause	https://code.google.com/p/closure-compiler/source/browse/trunk/src/com/google/debugging/sourcemap/Base64VLQ.java
https://github.com/Polymer/polymer-bundler/pull/519	https://github.com/mozilla/source-map/pull/31
https://github.com/mozilla/source-map/issues/30	https://www.w3.org/TR/css-values-4/#component-multipliers
https://drafts.csswg.org/css-values-3/#numeric-ranges	https://www.w3.org/TR/css-syntax-3/#serialization
https://github.com/w3c/csswg-drafts/pull/6874	https://www.w3.org/TR/css-syntax-3/#anb
https://drafts.csswg.org/css-cascade-5/	https://drafts.csswg.org/css-syntax/#urange
https://drafts.csswg.org/css-values/#calc-notation	https://drafts.csswg.org/css-values-4/#custom-idents
https://developer.mozilla.org/en-US/docs/Web/CSS/custom-ident	https://drafts.csswg.org/css-variables/#typedef-custom-property-name
https://drafts.csswg.org/css-color-4/#hex-notation	https://drafts.csswg.org/css-syntax/#any-value
https://drafts.csswg.org/css-values-4/#percentages	https://drafts.csswg.org/css-values-4/#numbers
https://drafts.csswg.org/css-values-4/#integers	https://github.com/csstree/csstree/issues
https://drafts.csswg.org/css-values-4/#lengths	https://www.w3.org/TR/css-values-3/#lengths
https://drafts.csswg.org/css-values-4/#font-relative-lengths	https://drafts.csswg.org/css-values-4/#viewport-relative-lengths
https://drafts.csswg.org/css-contain-3/#container-lengths	https://www.w3.org/TR/css-values-3/#angles
https://www.w3.org/TR/css-values-3/#time	https://www.w3.org/TR/css-values-3/#frequency
https://www.w3.org/TR/css-values-3/#resolution	https://drafts.csswg.org/css-grid/#fr-unit
https://www.w3.org/TR/css3-speech/#mixing-props-voice-volume	https://www.w3.org/TR/css3-speech/#voice-props-voice-pitch
https://drafts.csswg.org/css-syntax/#declaration-diagram	https://drafts.csswg.org/mediaqueries-3/#values
https://drafts.csswg.org/css-syntax-3/	https://en.wikipedia.org/wiki/Byte_order_mark
https://drafts.csswg.org/css-syntax-3/#consume-token	https://www.w3.org/TR/css-syntax-3/
https://drafts.csswg.org/cssom/#serialize-an-identifier	https://drafts.csswg.org/cssom/#serialize-a-string
https://developer.chrome.com/docs/extensions/reference/alarms/	https://whatfix.atlassian.net/browse/SUCC-6316
http://www.w3.org/2000/svg	http://www.w3.org/1999/xlink
https://whatfix.com/community/#	https://whatfix.com/terms-services/
https://whatfix.com/privacy-policy/	https://support.whatfix.com/docs/manageextensionsonthewhatfixdashboard
https://support.whatfix.com/docs/triggeringliveinstructionsthroughjavascript	https://support.whatfix.com/docs/multi-languagesupport
https://support.whatfix.com/docs/structureoflanguagepropertyfiles	https://support.whatfix.com/docs/identifyingconditionsforshowingtooltips
https://support.whatfix.com/docs/branchinginawalkthrough	https://support.whatfix.com/docs/whatfixreleasenotes
https://support.whatfix.com/docs/tasklistapi	https://support.whatfix.com/docs/usingvideoplayerparameters
https://support.whatfix.com/docs/selfhelpwidgetapi	https://support.whatfix.com/docs/selfhostingwhatfixcontent
https://support.whatfix.com/x/_gAF	https://support.whatfix.com/docs/usingdynamicurlsforyourflows
https://help.whatfix.com/pages/viewpage.action?pageId=328693	https://support.whatfix.com/docs/downloadexportedflowsfromwhatfixcloudusingwhatfixapi
https://support.whatfix.com/docs/generatingtheapitoken	https://support.whatfix.com/docs/backbuttonforwalkthroughhelptips
https://support.whatfix.com/docs/settingupgoogleanalyticsfromthewhatfixdashboard	https://support.whatfix.com/studio/docs/self-hosting-whatfix-content
https://clients2.google.com/service/update2/crx	https://addons.whatfix.com/
http://code.google.com/p/google-web-toolkit/issues/detail?id=2079	http://www.w3
https://microsoftedge.microsoft.com/addons/detail/	https://chrome.google.com/webstore/detail/
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd	https://whatfix.com/#utm_campaign=ref_-&utm_medium=
https://fonts.gstatic.com/s/inter/v11/UcCO3FwrK3iLTeHuS_fvQtMwCp50KnMw2boKoduKmMEVuLyfAZJhiI2B.woff2	https://fonts.gstatic.com/s/inter/v11/UcCO3FwrK3iLTeHuS_fvQtMwCp50KnMw2boKoduKmMEVuLyfAZthiI2B.woff2

Page 1 of 2

Raw Manifest

{
  "name": "Whatfix for BRP_SFFinancial",
  "icons": {
    "16": "logo16.png",
    "19": "logo19.png",
    "32": "logo32.png",
    "38": "logo38.png",
    "48": "logo48.png",
    "128": "logo128.png"
  },
  "action": {
    "browser_action": {
      "default_icon": "logo19.png",
      "default_title": "Whatfix for BRP_SFFinancial"
    }
  },
  "version": "2025.11.18.1906",
  "incognito": "split",
  "background": {
    "service_worker": "extension.background/extension.background.nocache.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Whatfix provides in-app interactive guides and walkthroughs to Ease User Onboarding, Reduce Training, and Improve Support.",
  "permissions": [
    "webNavigation",
    "storage",
    "alarms"
  ],
  "content_scripts": [
    {
      "js": [
        "extension.foreground/extension.foreground.nocache.js"
      ],
      "matches": [
        "*://brpstratus.lightning.force.com/*",
        "*://*.visual.force.com/*",
        "*://*.visualforce.com/*",
        "*://*.vf.force.com/*",
        "*://brpstratus--sitepicint.sandbox.lightning.force.com/*",
        "*://brpstratus--training.sandbox.lightning.force.com/*",
        "*://brpstratus--uat.sandbox.lightning.force.com/*"
      ],
      "all_frames": true
    }
  ],
  "host_permissions": [
    "https://*.whatfix.com/*"
  ],
  "manifest_version": 3,
  "externally_connectable": {
    "matches": [
      "https://*.whatfix.com/*/extension/*"
    ]
  },
  "content_security_policy": {
    "extension_pages": "script-src 'self'; object-src 'self'"
  },
  "web_accessible_resources": [
    {
      "matches": [
        "*://brpstratus.lightning.force.com/*",
        "*://*.visual.force.com/*",
        "*://*.visualforce.com/*",
        "*://*.vf.force.com/*",
        "*://brpstratus--sitepicint.sandbox.lightning.force.com/*",
        "*://brpstratus--training.sandbox.lightning.force.com/*",
        "*://brpstratus--uat.sandbox.lightning.force.com/*"
      ],
      "resources": [
        "whatfix.com/*",
        "config.json",
        "env.json",
        "modules/*"
      ]
    }
  ]
}

by ✦ Astarte

Whatfix for BRP_SFFinancial

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Content Security Policy:

Embedded URLs (159 total):

Raw Manifest

Detections

Manifest Findings