[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Fonts Ninja

Version 8.0.4 View in Chrome Web Store

Last scanned: 14 days ago | force re-scan

Extension Details

Developer: fonts.ninja

Rating: 4.4 ★ (877 ratings)

Users: 900,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

Fonts Ninja appears to be a legitimate typography tool with a substantial user base of 900,000 users and a solid 4.4-star rating from 877 reviews. The extension is developed by fonts.ninja, which suggests it's from the official company behind the service. The high user adoption and positive ratings indicate general user satisfaction and suggest the extension delivers on its promised functionality.

Concerns:

The primary concern is the combination of broad host permissions with tabs access, creating an extensive attack surface. While font identification legitimately requires access to webpage content across all sites, the tabs permission allows manipulation of browser tabs beyond what's typically necessary for font analysis. The activeTab permission would be more appropriate for this use case. The storage permission, while reasonable for saving font preferences, adds another data collection point. The broad host permissions mean this extension can access sensitive information on banking, email, and other private websites.

Recommendations:

Consider running this extension in a separate Chrome profile dedicated to design work to limit exposure of sensitive browsing activities. Regularly review what data the extension might be collecting through its storage capabilities. Monitor for any unusual tab behavior or unexpected website interactions. If you only need font identification occasionally, consider disabling the extension when not in use and enabling it only for specific design tasks. Alternative extensions with more restrictive permissions might be worth exploring for users with high security requirements.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: activeTab

This extension has the activeTab permission. Can access the active tab when clicking the extension icon.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Security Analysis Details

Required Permissions:

activeTab
tabs
storage
scripting

Host Permissions:

http://*/*
https://*/*

Content Security Policy:

extension_pages: script-src 'self'; object-src 'self'
sandbox: sandbox allow-scripts; script-src 'self' ; object-src 'self'

Embedded URLs (60 total):

https://fontsninja.typeform.com/to/cHr9TWwD	https://report.extension.k8s-hz.fontradar.com/error-report
https://github.com/entronad/crypto-es/security/advisories/GHSA-mpj8-q39x-wq5h	https://api-v2.fonts.ninja/extension/legacy/
https://reactjs.org/docs/error-decoder.html?invariant=	http://www.w3.org/1999/xlink
http://www.w3.org/XML/1998/namespace	http://www.w3.org/1999/xhtml
http://www.w3.org/2000/svg	http://www.w3.org/1998/Math/MathML
http://fb.me/use-check-prop-types	https://reactjs.org/link/react-polyfills
https://www.instagram.com/fontsninja/	https://chromewebstore.google.com/detail/fonts-ninja/eljapbgkmlngdpckoiiibecpemleclhh/reviews
https://apps.apple.com/fr/app/fonts-ninja/id1480227114	https://addons.mozilla.org/en-US/firefox/addon/fonts-ninja/
https://microsoftedge.microsoft.com/addons/detail/fonts-ninja/fmpleflnbilhgcdbccmjahkmbcfcmjpi	https://fonts.ninja
https://fonts.ninja/about-us	https://greensock.com
https://greensock.com/standard-license	https://fonts.ninja/bookmarks
https://github.com/thysultan/stylis.js/blob/e6843c373ebcbbfade25ebcc23f540ed8508da0a/src/Tokenizer.js#L239-L244	https://github.com/garycourt/murmurhash-js
https://github.com/aappleby/smhasher/blob/61a0530f28277f2e850bfc39600ce61d02b518de/src/MurmurHash2.cpp#L37-L86	https://github.com/emotion-js/emotion/tree/main/packages/react
https://caniuse.com/?search=globalThis	https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals#ES2018_revision_of_illegal_escape_sequences
https://esbench.com/bench/5b809c2cf2949800a0f61fb5	https://bugs.chromium.org/p/v8/issues/detail?id=4118
https://bugs.chromium.org/p/v8/issues/detail?id=3056	http://fb.me/prop-types-in-prod
https://developers.google.com/web/updates/2017/01/scrolling-intervention	https://github.com/mzabriskie/react-draggable/pull/254
https://github.com/mzabriskie/react-draggable/issues/266	https://gist.github.com/rogozhnikoff/a43cfed27c41e4e68cdc
https://faisalman.github.io/ua-parser-js	https://github.com/faisalman/ua-parser-js
https://usehooks.com/usePrevious/	https://v3-preprod.fonts.ninja
https://esbench.com/bench/5bfee68a4cd7e6009ef61d23	https://github.com/greensock/GSAP/issues/322
https://greensock.com/forums/topic/23823-closing-nav-animation-not-working-on-ie-and-iphone-6-maybe-other-older-browser/?tab=comments#comment-113005	https://greensock.com/forums/topic/20215-problem-using-tweenmax-in-standalone-self-containing-svg-file-err-cannot-set-property-csstext-of-undefined/
https://bugzilla.mozilla.org/show_bug.cgi?id=612118	https://greensock.com/forums/topic/18310-clippath-doesnt-work-on-ios/
https://greensock.com/forums/topic/24583-how-to-return-colors-that-i-had-after-reverse/	https://greensock.com/forums/topic/20368-possible-gsap-bug-switching-classnames-in-chrome/.
https://bugzilla.mozilla.org/show_bug.cgi?id=548397	https://github.com/greensock/GSAP/issues/388
https://github.com/greensock/GSAP/issues/375	http://feross.org
https://evilmartians.com/chronicles/postcss-8-plugin-migration	https://www.w3ctech.com/topic/2226
https://feross.org/opensource	https://mths.be/codepointat
http://mths.be/fromcodepoint	http://www.w3.org/2000/xmlns/
https://clients2.google.com/service/update2/crx	https://www.fonts.ninja

Raw Manifest

{
  "name": "Fonts Ninja",
  "icons": {
    "16": "icons/icon-16.png",
    "32": "icons/icon-32.png",
    "48": "icons/icon-48.png",
    "128": "icons/icon-128.png"
  },
  "action": {
    "default_icon": {
      "16": "icons/icon-16.png",
      "32": "icons/icon-32.png",
      "48": "icons/icon-48.png",
      "128": "icons/icon-128.png"
    },
    "default_title": "Fonts Ninja"
  },
  "author": "Fonts Ninja",
  "version": "8.0.4",
  "background": {
    "service_worker": "background.bundle.js"
  },
  "short_name": "Fonts Ninja",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Speed up your design workflow!",
  "permissions": [
    "activeTab",
    "tabs",
    "storage",
    "scripting"
  ],
  "homepage_url": "https://www.fonts.ninja",
  "content_scripts": [
    {
      "js": [
        "contentScript.bundle.js"
      ],
      "matches": [
        "http://*/*",
        "https://*/*"
      ],
      "all_frames": true
    }
  ],
  "host_permissions": [
    "http://*/*",
    "https://*/*"
  ],
  "manifest_version": 3,
  "content_security_policy": {
    "sandbox": "sandbox allow-scripts; script-src 'self' ; object-src 'self'",
    "extension_pages": "script-src 'self'; object-src 'self'"
  },
  "web_accessible_resources": [
    {
      "matches": [
        "http://*/*",
        "https://*/*"
      ],
      "resources": [
        "extension.bundle.js",
        "frame.html",
        "icons/*",
        "img/*",
        "fonts-ninja-helpers/*",
        "*.woff",
        "*.woff2"
      ]
    }
  ]
}

by ✦ Astarte

Fonts Ninja

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Content Security Policy:

Embedded URLs (60 total):

Raw Manifest

Detections

Manifest Findings