Chinahelper Shop Assistan
🔍 Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Overview
ChinaHelper - Checking the seller for most popular China store.
Will show the whole truth about the reliability of the seller and real discounts!
The plugin contains all the best China Helper tools you need to shop safely from China.
By installing the ChinaHelper extension, you get information about the level of trust in the seller, which is based on official data and is generated in a convenient form and format for you directly on the official website of the online store of Chinese goods.
★ Protection against artificial discounts:
You can always see how the price of goods has changed over the past months, and get a convenient push notification of a price reduction - very convenient =)
★ Find similar products from other sellers, choose a cheaper product from a seller with a high rating.
★ Get quick and convenient access to popular sections of the site, “My Orders”, “My Account”, “Shopping Cart”, “My Coupons”
★ Tracking packages - add your track code and immediately find out where your package is.
We tried to make the most convenient service among such analogues as:
Our development team is constantly improving the service and adding new features to the expansion for greater convenience of shopping.
We use the Google Analytics service to collect statistics on the use of the service to make it better. If you do not want to transfer data to the Google Analytics service, please go to: http://tools.google.com/dlpage/gaoptout to refuse to transfer faceless data, more details in the "privacy policy" (see the website or the right column in chrome store)
We are open to dialogue, and are ready to help in solving any problems associated with the operation of ChinaHelper service.
Tags
Privacy Practices
Security Analysis — Chinahelper Shop Assistan
Permissions
Code Patterns Detected
External Connections
What This Extension Does
The Chinahelper Shop Assistant extension helps Chinese e-commerce shoppers by providing seller reliability checks, price tracking, and package tracking features. It is designed for users who shop on AliExpress and similar platforms to make informed purchasing decisions. The extension aims to improve shopping safety through transparency in pricing and seller trustworthiness.
Permissions Explained
- storageexpected: Allows the extension to save user preferences, settings, or data locally within the browser.
Technical: Uses Chrome'schrome.storageAPI. Can store cookies, cached data, and configuration values. If compromised, could allow persistent tracking of user behavior across sessions. - tabsexpected: Enables the extension to access or modify browser tabs, such as reading tab URLs or injecting scripts into pages.
Technical: Useschrome.tabsAPI. May be used for content script injection on specific domains like aliexpress.com. Risk is moderate if misused for unauthorized page manipulation. - cookiesexpected: Gives the extension access to cookies stored by websites, which may include session tokens or login information.
Technical: Useschrome.cookiesAPI. Allows reading and modifying cookies for domains like aliexpress.com. If exploited, could hijack user sessions on those sites. - webRequestexpected: Enables the extension to monitor or modify network requests made by the browser in real time.
Technical: Useschrome.webRequestAPI. Can intercept HTTP/HTTPS traffic, potentially allowing inspection of data sent between user and servers. High-risk if used for surveillance or manipulation. - notificationsexpected: Allows the extension to show pop-up notifications to the user, such as price drops or package updates.
Technical: Useschrome.notificationsAPI. No sensitive data access; however, misuse could lead to spammy behavior or phishing-like alerts. - http://*/*check this: Grants broad access to all HTTP websites on the internet. This is highly permissive and raises concerns about potential misuse.
Technical: Useschrome.declarativeNetRequestor similar APIs for wildcard matching of URLs. Allows interception of unencrypted traffic, increasing risk of data exposure or man-in-the-middle attacks. ⚠ 1 - https://*/*check this: Grants broad access to all HTTPS websites on the internet. While secure by default, it still allows extensive monitoring of web traffic.
Technical: Same as above but for encrypted connections. Still poses a risk if used inappropriately due to its wide scope and potential for data interception or manipulation. ⚠ 1
Your Data
The extension accesses cookies, local storage, and sends information to various domains including AliExpress, Google Analytics, and tracking services. It appears to collect user browsing data for analytics purposes.
Technical Details
Contacts domains such as aliexpress.com, www.aliexpress.ru, my.aliexpress.com, trade.aliexpress.com, svgjs.dev, rdtds.net, 17track.net, and www.w3.org. Data types include cookies (session tokens), page content, and potentially user behavior logs. Uses HTTP/HTTPS protocols; no explicit encryption details provided.
Code Findings
The extension uses obfuscation techniques to hide code logic, which can make it harder to analyze what the extension actually does.
Technical: JavaScript files contain calls like String.fromCharCode() and .charCodeAt(), often used in obfuscated scripts. This pattern is common for hiding malicious intent or complex behavior from casual inspection.
💡 Obfuscation is frequently used by legitimate extensions to protect intellectual property or reduce reverse-engineering risk.
The extension can read and modify cookies, which may include session tokens that allow access to user accounts on AliExpress.
Technical: Uses chrome.cookies API. If misused, could enable session hijacking or unauthorized account access across domains like aliexpress.com.
💡 Common in extensions that need to maintain login state or interact with authenticated sites.
There may be a hardcoded secret (e.g., API key) within the extension code, which could pose a security risk if exposed.
Technical: Code analysis detected possible presence of hard-coded secrets or keys in JavaScript files. These can be extracted by anyone with access to the source code and might allow unauthorized access to backend services.
💡 Used for authentication tokens or API keys, but should ideally be managed via secure environment variables rather than hardcoded values.
The extension injects scripts into pages from multiple AliExpress domains, which is expected for its functionality but requires careful monitoring.
Technical: Content scripts are injected into *://*.aliexpress.com/*, *://*.aliexpress.us/*, and *://*.aliexpress.ru/*. This allows the extension to interact with page content directly. Risk depends on how these scripts handle data or communicate externally.
💡 Standard practice for extensions that enhance functionality on specific websites like e-commerce platforms.
The extension does not enforce a strict Content Security Policy, which could leave it vulnerable to cross-site scripting attacks.
Technical: No CSP header is set in the manifest or injected scripts. This increases risk of script injection vulnerabilities if content scripts are not properly sanitized.
💡 CSP enforcement varies by extension design; some prioritize performance over strict security policies.
The Chinahelper Shop Assistant extension has a stated purpose aligned with its features, but it requests overly broad permissions that exceed what is necessary for basic functionality. It accesses cookies and uses obfuscation techniques which raise concerns about potential misuse or hidden behavior. Users should exercise caution when installing this extension due to the high-risk permissions granted and lack of transparency in data handling practices.
