Podepisovací komponenta Signer
Version 2.0 View in Chrome Web Store
Extension Details
Context-Aware Verdict
The extension has 30,000 users, indicating some level of adoption, but several concerning trust indicators emerge. The extremely low rating of 1.0 from only 1 review is a major red flag. The lack of visible author and developer information raises transparency concerns. The name suggests it's a signing component for Czech/Slovak organizations (Asseco), which could indicate legitimate business use, but this cannot be verified without proper developer identification.
The extension's Content Security Policy allows 'unsafe-eval', creating a significant security vulnerability that permits dynamic JavaScript execution. This could enable malicious code execution if exploited. The nativeMessaging permission allows communication with native applications on the user's computer, which combined with the unsafe-eval policy creates a dangerous combination. The content scripts run on multiple domains including intranet and business-related sites, potentially accessing sensitive corporate data. The absence of developer information makes it impossible to verify the extension's legitimacy or contact the developer for security concerns.
Given the high-risk security findings and poor trust indicators, avoid installing this extension on your primary browser profile. If the extension is required for business purposes, run it in a completely separate Chrome profile with restricted access to personal data. Contact your IT department to verify if this is an approved corporate tool. Consider alternative signing solutions that don't require such broad permissions or unsafe JavaScript evaluation. Monitor the extension closely for any suspicious behavior if installation is absolutely necessary.
Findings
Security Analysis Details
Required Permissions:
- nativeMessaging
Content Security Policy:
- extension_pages: script-src 'self'; object-src 'self';
- sandbox: sandbox allow-scripts allow-forms allow-popups allow-modals; script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self';
Embedded URLs (1 total):
| https://clients2.google.com/service/update2/crx |
Raw Manifest
{ "name": "Podepisovací komponenta Signer", "icons": { "16": "NMSigner16.png", "32": "NMSigner32.png", "48": "NMSigner48.png", "64": "NMSigner64.png", "128": "NMSigner128.png" }, "author": "Asseco Central Europe, a.s.", "version": "2.0", "background": { "service_worker": "service_worker.js" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "Podepisovací komponenta Signer pro Chrome", "permissions": [ "nativeMessaging" ], "content_scripts": [ { "js": [ "content.js" ], "matches": [ "*://*.intranet.local/*", "*://*.asseco.cz/*", "*://*.asseco.sk/*", "*://*.assecosk.local/*", "*://*.asseco.com/*", "*://*.portalzp.cz/*", "*://*.cpzp.cz/*", "*://*.ozp.cz/*", "*://*.zpskoda.cz/*", "*://*.rbp-zp.cz/*", "*://*.vozp.cz/*", "*://*.kartamehosrdce.cz/*" ] } ], "manifest_version": 3, "externally_connectable": { "matches": [ "*://*.intranet.local/*", "*://*.asseco.cz/*", "*://*.asseco.sk/*", "*://*.assecosk.local/*", "*://*.asseco.com/*", "*://*.portalzp.cz/*", "*://*.cpzp.cz/*", "*://*.ozp.cz/*", "*://*.zpskoda.cz/*", "*://*.rbp-zp.cz/*", "*://*.vozp.cz/*", "*://*.kartamehosrdce.cz/*" ] }, "content_security_policy": { "sandbox": "sandbox allow-scripts allow-forms allow-popups allow-modals; script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self';", "extension_pages": "script-src 'self'; object-src 'self';" } }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.