JP English Dictionary: English to 200 Languages
Version 1.1.2 View in Chrome Web Store
Extension Details
Context-Aware Verdict
The extension has a perfect 5.0 rating with 1,300 reviews and 4,000 users, suggesting positive user experiences. The developer operates from jpdictionary.com, indicating a dedicated domain for the service. However, the relatively small user base for a translation tool raises questions about its necessity compared to established alternatives like Google Translate.
The extension's permissions are severely excessive for a dictionary application. The combination of broad host permissions with content script injection across all websites creates significant privacy and security risks. The webNavigation permission allows comprehensive browsing tracking, while the unsafe WebAssembly execution policy could hide malicious code. Most concerning is that a simple dictionary tool has no legitimate need to access all websites, manipulate tabs, or track navigation patterns.
The technical implementation suggests capabilities far beyond translation services, including potential data harvesting, credential theft, and comprehensive user surveillance. The Content Security Policy allowing unsafe WebAssembly execution is particularly alarming as it enables sophisticated attack vectors.
Do not install this extension. Use established translation services like Google Translate, Microsoft Translator, or browser-native translation features instead. If you must use this extension, run it in a completely isolated Chrome profile with no access to sensitive accounts or data. Consider that the excessive permissions indicate potential malicious intent disguised as a legitimate dictionary service.
Findings
Security Analysis Details
Required Permissions:
- storage
- tts
- tabs
- scripting
- contextMenus
- webNavigation
Host Permissions:
- <all_urls>
Content Security Policy:
- extension_pages: script-src 'self' 'wasm-unsafe-eval' ; object-src 'none'
Embedded URLs (126 total):
| http://www.apache.org/licenses/ | https://getbootstrap.com/ | |
| https://github.com/twbs/bootstrap/blob/master/LICENSE | http://www.w3.org/2000/svg | |
| http://www.apache.org/licenses/LICENSE-2.0 | https://bugzilla.mozilla.org/show_bug.cgi?id=706209 | |
| https://github.com/adobe-type-tools/cmap-resources | https://popper.js.org/ | |
| https://github.com/crypto-browserify/crypto-browserify | https://papago.naver.com/apis/langs/dect | |
| https://papago.naver.com/apis/n2mt/translate | https://github.com/uuidjs/uuid#getrandomvalues-not-supported | |
| https://registry.npmjs.org/axios/-/axios-0.21.4.tgz | https://github.com/axios/axios/issues | |
| https://axios-http.com | https://github.com/axios/axios.git | |
| https://www.bing.com/translator | https://www.bing.com/ttranslatev3?isVertical=1&& | |
| https://translate.googleapis.com/translate_a/t? | https://english.jpdictionary.com/en/setting | |
| https://jpdictionary.com | https://english.jpdictionary.com/?word= | |
| https://english.jpdictionary.com/ | http://www.w3.org/XML/1998/namespace | |
| http://www.w3.org/1999/xlink | http://www.xfa.org/schema/xci/ | |
| http://www.xfa.org/schema/xfa-connection-set/ | http://www.xfa.org/schema/xfa-data/ | |
| http://www.xfa.org/schema/xfa-form/ | http://www.xfa.org/schema/xfa-locale-set/ | |
| http://ns.adobe.com/xdp/pdf/ | http://www.w3.org/2000/09/xmldsig# | |
| http://www.xfa.org/schema/xfa-source-set/ | http://www.w3.org/1999/XSL/Transform | |
| http://www.xfa.org/schema/xfa-template/ | http://www.xfa.org/schema/xdc/ | |
| http://ns.adobe.com/xdp/ | http://ns.adobe.com/xfdf/ | |
| http://www.w3.org/1999/xhtml | http://ns.adobe.com/xmpmeta/ | |
| http://www.w3.org/1998/Math/MathML | https://vuetifyjs.com/getting-started/quick-start#bootstrapping-the-vuetify-object | |
| https://github.com/vuetifyjs/vuetify/issues/4068 | https://github.com/vuetifyjs/vuetify/releases/tag/v2.0.0#user-content-upgrade-guide | |
| https://chromewebstore.google.com/detail/ijdelikbohnbiacoipaclicioknnihni | https://github.com/zloirock/core-js/blob/v3.25.4/LICENSE | |
| https://github.com/zloirock/core-js | https://envi.jpdictionary.com/popup/comments.png | |
| https://en.jpdictionary.com/api/ | https://translate.googleapis.com/translate_a/single?client=gtx&sl= | |
| https://bit.ly/2ZqJzkp | https://ezse.net/other/grade/gpa.html?data= | |
| https://ezse.net/other/grade/percentagegrade.html?data= | http://mozilla.github.io | |
| https://mozilla.github.io | http://example.com | |
| https://clients2.google.com/service/update2/crx | http://docs.nwjs.io/en/latest/For%20Users/Advanced/JavaScript%20Contexts%20in%20NW.js/#access-nodejs-and-nwjs-api-in-browser-context | |
| https://www.electronjs.org/docs/api/process#processversionselectron-readonly | https://www.electronjs.org/docs/api/process#processtype-readonly | |
| https://github.com/webpack/webpack/issues/8826 | https://bugzilla.mozilla.org/show_bug.cgi?id=683280 | |
| https://bugs.chromium.org/p/chromium/issues/detail?id=1170396 | http://www.wolframalpha.com/input/? | |
| https://bugzilla.mozilla.org/show_bug.cgi?id=726227 | https://bugzilla.mozilla.org/show_bug.cgi?id=664884 | |
| https://bugzilla.mozilla.org/show_bug.cgi?id=972126 | http://www.libpng.org/pub/png/spec/1.2/PNG-Compression.html | |
| https://nodejs.org/api/http.html#http_message_headers. | https://github.com/Rob--W/open-in-browser/blob/7e2e35a38b8b4e981b11da7b2f01df0149049e92/extension/content-disposition.js | |
| https://github.com/Rob--W/open-in-browser/issues/26 | https://bugzil.la/875615 | |
| https://searchfox.org/mozilla-central/rev/4a590a5a15e35d88a3b23dd6ac3c471cf85b04a8/netwerk/mime/nsMIMEHeaderParamImpl.cpp#742-748 | http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.35.2: | |
| https://chromium.googlesource.com/chromium/src/+/2e231cf052ca5e68e22baf0008ac9e5e29121707 | https://chromium.googlesource.com/chromium/src.git/+/58ab4a971b06dec13e4edf9de8382ca6847f6190 | |
| https://github.com/mozilla/pdf.js.quickjs/blob/main/src/myjs.js | http://www.jpeg.org/public/fcd15444-1.pdf | |
| https://github.com/notmasteryet/jpgjs. | http://www.poynton.com/notes/colour_and_gamma/ColorFAQ.html |
Raw Manifest
{ "name": "__MSG_appName__", "icons": { "16": "icons/icon_16.png", "32": "icons/icon_32.png", "48": "icons/icon_48.png", "128": "icons/icon_128.png" }, "action": { "default_popup": "popup.html", "default_title": "Japanese Dictionary JP" }, "omnibox": { "keyword": "jp" }, "sandbox": { "pages": [ "opencvHandler.html" ] }, "version": "1.1.2", "background": { "service_worker": "background.js" }, "options_ui": { "page": "popup.html" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "__MSG_appDesc__", "permissions": [ "storage", "tts", "tabs", "scripting", "contextMenus", "webNavigation" ], "default_locale": "en", "content_scripts": [ { "js": [ "contentScript.js" ], "css": [ "bootstrapcustom.min.css" ], "run_at": "document_idle", "matches": [ "<all_urls>" ], "all_frames": true } ], "host_permissions": [ "<all_urls>" ], "manifest_version": 3, "content_security_policy": { "extension_pages": "script-src 'self' 'wasm-unsafe-eval' ; object-src 'none'" }, "web_accessible_resources": [ { "matches": [ "<all_urls>" ], "resources": [ "pdfjs/web/viewer.html", "opencvHandler.html" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.