[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Starting analysis...

Javascript Object Browser

Version 1.2.1 View in Chrome Web Store

Last scanned: 2 days ago | force re-scan

Extension Details

Developer: duck-producktions.blogspot.com

Rating: 3.9 ★ (27 ratings)

Users: 3,000

Context-Aware Verdict

CRITICAL

Overall Risk

Trust Factors:

The extension has a relatively small user base of 3,000 users with a moderate rating of 3.9 stars from only 27 reviews, indicating limited community validation. The developer uses a Blogspot domain rather than a professional website, which raises questions about legitimacy and long-term support. The lack of a proper description makes it impossible to understand the extension's intended purpose or justify its extensive permissions.

Concerns:

This extension exhibits extremely concerning permission overreach that is completely unjustifiable for a "Javascript Object Browser." It requests virtually every possible Chrome permission including debugger access, proxy control, privacy settings modification, clipboard access, browsing history, cookies, and web request interception. The combination of webRequest and webRequestBlocking permissions allows complete traffic manipulation. The Content Security Policy permits unsafe JavaScript evaluation, creating additional attack vectors. The extensive permissions could enable data theft, traffic hijacking, extension manipulation, and complete browser compromise.

Recommendations:

Do not install this extension under any circumstances. The permission set suggests potential malware rather than a legitimate development tool. If you absolutely need JavaScript debugging capabilities, use Chrome's built-in Developer Tools or seek well-established alternatives from reputable developers with transparent functionality descriptions. If already installed, remove immediately and consider running a security scan. The risk-to-benefit ratio is completely unacceptable for any legitimate use case.

Findings

HIGH

Dangerous Permission Combination: webRequest + webRequestBlocking

This extension can intercept, modify, and block web requests in real-time. This combination could be used to modify sensitive web traffic or steal data.

HIGH

High-Risk Permission: bookmarks

This extension has the bookmarks permission. Can access and modify bookmarks. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: clipboardRead

This extension has the clipboardRead permission. Can read clipboard content. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: clipboardWrite

This extension has the clipboardWrite permission. Can modify clipboard content. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: cookies

This extension has the cookies permission. Can access and modify browser cookies. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: debugger

This extension has the debugger permission. Can debug and manipulate other extensions/apps. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: history

This extension has the history permission. Can access your browsing history. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: management

This extension has the management permission. Can manage other extensions. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: privacy

This extension has the privacy permission. Can modify privacy settings. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: proxy

This extension has the proxy permission. Can control proxy settings. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: webNavigation

This extension has the webNavigation permission. Can track your web navigation. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: webRequest

This extension has the webRequest permission. Can intercept and modify web requests. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: webRequestBlocking

This extension has the webRequestBlocking permission. Can block and modify web requests in real-time. This could potentially be used maliciously to compromise security or privacy.

HIGH

Unsafe JavaScript Evaluation

This extension's Content Security Policy allows 'unsafe-eval', which permits dynamic JavaScript code execution using eval() and similar functions. This is a significant security risk as it could allow execution of malicious code.

MEDIUM

Medium-Risk Permission: activeTab

This extension has the activeTab permission. Can access the active tab when clicking the extension icon.

MEDIUM

Medium-Risk Permission: contextMenus

This extension has the contextMenus permission. Can add items to the context menu.

MEDIUM

Medium-Risk Permission: geolocation

This extension has the geolocation permission. Can access your location.

MEDIUM

Medium-Risk Permission: notifications

This extension has the notifications permission. Can show notifications.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

MEDIUM

Medium-Risk Permission: unlimitedStorage

This extension has the unlimitedStorage permission. Can store unlimited data locally.

MEDIUM

Older Manifest Version

This extension uses Manifest Version 2, which has fewer security restrictions than Manifest V3. Consider using extensions that have upgraded to V3.

Raw Manifest

{
  "app": {
    "launch": {
      "container": "tab",
      "local_path": "index.html",
      "manifest_version": 2
    }
  },
  "name": "Javascript Object Browser",
  "icons": {
    "16": "icon_16.png",
    "128": "icon_128.png"
  },
  "version": "1.2.1",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Browse through the objects in the default Javascript library and any local or online libraries",
  "permissions": [
    "*://*/*",
    "activeTab",
    "alarms",
    "background",
    "bookmarks",
    "browsingData",
    "chrome://favicon/",
    "clipboardRead",
    "clipboardWrite",
    "contentSettings",
    "contextMenus",
    "cookies",
    "debugger",
    "fileBrowserHandler",
    "fontSettings",
    "geolocation",
    "history",
    "idle",
    "management",
    "nativeMessaging",
    "notifications",
    "pageCapture",
    "power",
    "privacy",
    "proxy",
    "storage",
    "system.cpu",
    "system.display",
    "system.memory",
    "system.storage",
    "tabCapture",
    "tabs",
    "topSites",
    "tts",
    "ttsEngine",
    "unlimitedStorage",
    "webNavigation",
    "webRequest",
    "webRequestBlocking"
  ],
  "permissions_app": [
    "declarativeContent",
    "desktopCapture",
    "dns",
    "downloads",
    "gcm",
    "identity",
    "pushMessaging",
    "processes"
  ],
  "permissions_dev": [
    "infobars",
    "sessions",
    "signedInDevices",
    "ledger",
    "enterprise.platformKeys",
    "location"
  ],
  "manifest_version": 2,
  "content_security_policy": "script-src 'self' 'unsafe-eval'; script-src 'self' 'unsafe-inline'; object-src 'self'"
}

by ✦ Astarte

Javascript Object Browser

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Content Security Policy:

Embedded URLs (2 total):

Raw Manifest

Detections

Manifest Findings