Extension For Cades Brows

Name: Security Analysis: Extension For Cades Brows
Item: Extension For Cades Brows
Rating: 5
Author: ChromeBoard

🔍 Security Report Available

👥 6M+ users

📦 v1.3.17

💾 45.32KiB

📅 2026-01-29

View on Chrome Web Store

Chrome will indicate if you already have this installed.

Lets you seamlessly integrate your browser with the popular ЭЦП Browser plugin, allowing for a streamlined experience and effortless access to its features within Chrome. Suitable for those who frequently use the plugin, this extension streamlines their workflow by providing a direct connection between the two. Ideal for users of the ÉTCB plugin.

Overview

Расширение позволяет использовать ЭЦП Browser plugin в браузере. Для работы требует установленного ЭЦП Browser plugin.

Privacy Practices

✓ Not being sold to third parties, outside of the approved use cases

✓ Not being used or transferred for purposes that are unrelated to the item's core functionality

✓ Not being used or transferred to determine creditworthiness or for lending purposes

v1.3.17 Info Scanned Mar 4, 2026

Security Analysis — Extension For Cades Brows

Analyzed v1.3.17 · Mar 4, 2026 · 5 JS files · 53 KB scanned

Permissions

Code Patterns Detected

External Connections

cadescompany.ru www.cadescompany.ru

Package Contents 26 files · 109KB

▾📁_metadata4KB

{}verified_contents.json4KB

▾📁icons21KB

▾📁status10KB

🖼icon_active.svg468B

🖼icon_active_128.png1KB

🖼icon_active_16.png373B

🖼icon_active_48.png598B

🖼icon_error.svg690B

🖼icon_error_128.png3KB

🖼icon_error_16.png586B

🖼icon_error_48.png1KB

🖼icon_not_active.svg454B

🖼icon_not_active_128.png1KB

🖼icon_not_active_16.png411B

🖼icon_not_active_48.png639B

🖼favicon.png9KB

🖼logo_plugin.svg2KB

📜background.js8KB

📜content.js13KB

{}manifest.json2KB

📜nmcades_plugin_api.js14KB

🎨popup.css3KB

📜popup.js3KB

🌐popup_default.html3KB

🌐popup_error.html4KB

🌐popup_ok.html3KB

🌐trusted_sites.html16KB

📜trusted_sites.js14KB

What This Extension Does

Extension For Cades Brows allows users to utilize digital signatures (ЭЦП) within their browser. It requires an installed ЭЦП Browser plugin for functionality.

Permissions Explained

nativeMessagingcheck this: Allows the extension to communicate with native applications on your device, potentially accessing sensitive data.
Technical: Native messaging allows Chrome extensions to interact with native code, which can lead to privilege escalation and data exposure if not properly secured. In this case, it's used for digital signature functionality, but its broad scope raises concerns about potential misuse. ⚠ 1

Your Data

The extension accesses your device's installed ЭЦП Browser plugin and sends data to cadescompany.ru and www.cadescompany.ru. It also makes XHR requests, which may involve sensitive information.

Technical Details

Exact domains contacted: cadescompany.ru, www.cadescompany.ru; protocols: HTTP(S); encryption status: unknown; data types: potentially sensitive user data (e.g., digital signatures).

Code Findings

Potential XSS Vector via innerHTML AssignmentMedium

This extension uses a technique that could be exploited by malicious code to inject scripts into web pages, potentially leading to unauthorized actions or data exposure.

Technical: The extension assigns innerHTML values in certain JavaScript files (e.g., contentScript.js), which can lead to XSS vulnerabilities if not properly sanitized. This is a common pattern in legitimate extensions for dynamic content rendering, but its presence here warrants closer inspection.

💡 Legitimate extensions often use innerHTML assignments for dynamic content rendering or user interface updates.

Broad Host PermissionsCritical

This extension has broad permissions to access any host, which could lead to unauthorized data exposure or actions if exploited.

Technical: The extension's manifest file specifies host_permissions as *://*/<all_urls>, allowing it to access any web page. This is a high-risk permission that should be carefully reviewed and justified by the developer.

💡 Some extensions require broad host permissions for functionality, but this should be carefully evaluated on a case-by-case basis.

Uses postMessage for Cross-Origin CommunicationsMedium

This extension uses a technique to communicate with other web pages or scripts, which could potentially lead to unauthorized data exposure or actions if exploited.

Technical: The extension uses postMessage API calls in certain JavaScript files (e.g., contentScript.js) for cross-origin communication. While this is a common pattern in legitimate extensions, its presence here warrants closer inspection.

💡 Legitimate extensions often use postMessage for communication between web pages or scripts.

Bottom Line

Based on the findings, we recommend exercising caution when using this extension. While it appears to be legitimate in its stated purpose, the broad host permissions and potential XSS vector raise concerns about data exposure and unauthorized actions. Users should carefully review their installed extensions and consider disabling or uninstalling this one if they're unsure about its security implications.