Infinity New Tab

Name: Security Analysis: Infinity New Tab
Item: Infinity New Tab
Rating: 5
Author: ChromeBoard

🔍 Security Report Available

👥 400K+ users

📦 v11.0.37

💾 4.91MiB

📅 2026-03-06

View on Chrome Web Store

Chrome will indicate if you already have this installed.

Lets you personalize your New Tab page with a customizable layout and theme, giving you full control over the content that appears when you open a new tab. Infinity New Tab is ideal for those who want to streamline their browsing experience and stay organized, making it a popular choice among productivity enthusiasts. With its user-friendly interface, this extension benefits users looking to simplify their digital workflow.

Overview

Based on the past knowledge, Infinity considers that New Tab should be equipped with better features and minimalist design. Today we redefine New Tab as a pursuit of minimalist aesthetics, one-stop service experience and less content for more features. A new generation of tab means a more accessible and powerful New Tab. Allow elegant and easy use of chrome.

Infinity New Tab: Customize chrome New Tab; Open an era of page adding, which means that the URL will be added to the New Tab no matter which page you are browsing; Goggle Mail Reminder, Weather Tips, Todos, History Management, App Management, Notepad Application like Evernote, HD wallpapers, Bing, Baidu and Goggle Search can all be innovatively found in New Tab. Offer more simple and convenient applications.

Infinity Features:

1. Wonderful Icons: With flat design style, including more than 200 domestic and international popular icons.
2. HD Wallpapers: Carefully select 365 wallpapers from 35,000 HD ones to match the icons so that a new wallpaper is available for each specific day; Of course, you may also select the pictures from your computer as the wallpaper
3. Cloud Sync: Back up real-time data to the Cloud, and allow Onekey Recovery from the Cloud.
4. Intelligent Mail Notification: Gmail Mail Reminder.
5. Todos: Check the things to be done and the things that have been done at any time.
6. Personalized Search: Select your favorite search engine and customize additional personal search engine.
7. App Extension Management: Manage your extensions quickly and conveniently.
8. History Management: View your search history.
9. Notepad: Record life details.

As an eBay Partner Network Affiliate, I earn from qualifying purchases.

Privacy Practices

✓ Not being sold to third parties, outside of the approved use cases

✓ Not being used or transferred for purposes that are unrelated to the item's core functionality

✓ Not being used or transferred to determine creditworthiness or for lending purposes

v11.0.37 Info Scanned Mar 11, 2026

Security Analysis — Infinity New Tab

Analyzed v11.0.37 · Mar 11, 2026 · 58 JS files · 7343 KB scanned

Permissions

Code Patterns Detected

External Connections

infinityicon.infinitynewtab.com polymer.github.io www.w3.org www.google.com infinity-permanent.infinitynewtab.com mail.google.com sovrn.co api.inftab.com api-infinitynewtab-com.test690.com infinitypro-img.infinitynewtab.com suggestion.baidu.com google.com +8 more

Package Contents 335 files · 12MB

▾📁_locales1.7MB

▾📁cs50KB

{}messages.json50KB

▾📁da48KB

{}messages.json48KB

▾📁de52KB

{}messages.json52KB

▾📁el75KB

{}messages.json75KB

▾📁en47KB

{}messages.json47KB

▾📁en_GB47KB

{}messages.json47KB

▾📁en_US47KB

{}messages.json47KB

▾📁es52KB

{}messages.json52KB

▾📁es_41952KB

{}messages.json52KB

▾📁fi49KB

{}messages.json49KB

▾📁fr54KB

{}messages.json54KB

▾📁hi82KB

{}messages.json82KB

▾📁hu52KB

{}messages.json52KB

▾📁id49KB

{}messages.json49KB

▾📁it51KB

{}messages.json51KB

▾📁ja57KB

{}messages.json57KB

▾📁ko52KB

{}messages.json52KB

▾📁ms49KB

{}messages.json49KB

▾📁nl49KB

{}messages.json49KB

▾📁no48KB

{}messages.json48KB

▾📁pl50KB

{}messages.json50KB

▾📁pt_BR51KB

{}messages.json51KB

▾📁pt_PT51KB

{}messages.json51KB

▾📁ro52KB

{}messages.json52KB

▾📁ru69KB

{}messages.json69KB

▾📁sk50KB

{}messages.json50KB

▾📁sv49KB

{}messages.json49KB

▾📁th81KB

{}messages.json81KB

▾📁tr51KB

{}messages.json51KB

▾📁uk68KB

{}messages.json68KB

▾📁vi56KB

{}messages.json56KB

▾📁zh_CN45KB

{}messages.json45KB

▾📁zh_TW45KB

{}messages.json45KB

▾📁_metadata44KB

{}verified_contents.json44KB

▾📁chatai3.6MB

▾📁_locales12KB

▾📁en_US6KB

{}messages.json6KB

▾📁zh_CN6KB

{}messages.json6KB

▾📁assets3.1MB

▾📁css531KB

🎨198-f91fc790.css235KB

🎨371-6f5f1b68.css101B

🎨447-89726115.css63KB

🎨chat-0ffb675f.css233KB

🎨main-429ba2dd.css281B

▾📁font1.1MB

🔤KaTeX_AMS-Regular-73ea273a.woff227KB

🔤KaTeX_AMS-Regular-853be924.ttf62KB

🔤KaTeX_AMS-Regular-d562e886.woff33KB

🔤KaTeX_Caligraphic-Bold-7489a2fb.ttf12KB

🔤KaTeX_Caligraphic-Regular-7e873d38.ttf12KB

🔤KaTeX_Fraktur-Bold-354501ba.woff13KB

🔤KaTeX_Fraktur-Bold-4c761b37.ttf19KB

🔤KaTeX_Fraktur-Bold-931d67ea.woff211KB

🔤KaTeX_Fraktur-Regular-172d3529.woff211KB

🔤KaTeX_Fraktur-Regular-6fdf0ac5.woff13KB

🔤KaTeX_Fraktur-Regular-ed305b54.ttf19KB

🔤KaTeX_Main-Bold-0c3b8929.woff29KB

🔤KaTeX_Main-Bold-39890742.woff225KB

🔤KaTeX_Main-Bold-8169508b.ttf50KB

🔤KaTeX_Main-BoldItalic-20f389c4.woff216KB

🔤KaTeX_Main-BoldItalic-428978dc.woff19KB

🔤KaTeX_Main-BoldItalic-828abcb2.ttf32KB

🔤KaTeX_Main-Italic-fa675e5e.ttf33KB

🔤KaTeX_Main-Italic-fd947498.woff19KB

🔤KaTeX_Main-Italic-fe2176f7.woff217KB

🔤KaTeX_Main-Regular-4f35fbcc.woff30KB

🔤KaTeX_Main-Regular-9eba1d77.ttf52KB

🔤KaTeX_Main-Regular-f650f111.woff226KB

🔤KaTeX_Math-BoldItalic-3f07ed67.woff18KB

🔤KaTeX_Math-BoldItalic-bf2d440b.ttf30KB

🔤KaTeX_Math-BoldItalic-dcbcbd93.woff216KB

🔤KaTeX_Math-Italic-6d3d25f4.woff216KB

🔤KaTeX_Math-Italic-8a5f9363.ttf31KB

🔤KaTeX_Math-Italic-96759856.woff18KB

🔤KaTeX_SansSerif-Bold-5b49f499.ttf24KB

🔤KaTeX_SansSerif-Bold-95591a92.woff212KB

🔤KaTeX_SansSerif-Bold-b9cd458a.woff14KB

🔤KaTeX_SansSerif-Italic-7d393d38.woff212KB

🔤KaTeX_SansSerif-Italic-8d593cfa.woff14KB

🔤KaTeX_SansSerif-Italic-b257a18c.ttf22KB

🔤KaTeX_SansSerif-Regular-02271ec5.woff12KB

🔤KaTeX_SansSerif-Regular-2f7bc363.ttf19KB

🔤KaTeX_SansSerif-Regular-cd5e231e.woff210KB

🔤KaTeX_Script-Regular-073b3402.woff10KB

🔤KaTeX_Script-Regular-c81d1b2a.woff29KB

🔤KaTeX_Script-Regular-fc9ba524.ttf16KB

🔤KaTeX_Size1-Regular-6de7d4b5.ttf12KB

🔤KaTeX_Size2-Regular-57f5c183.ttf11KB

🔤KaTeX_Size4-Regular-4ad7c7e8.ttf10KB

🔤KaTeX_Typewriter-Regular-4c6b94fd.woff16KB

🔤KaTeX_Typewriter-Regular-c295e7f7.woff213KB

🔤KaTeX_Typewriter-Regular-c5c02d76.ttf27KB

🔤iconfont-730ffa68.woff30KB

🔤iconfont-8bca413d.ttf57KB

🔤iconfont-8c7f2b6c.woff226KB

▾📁img235KB

🖼07ee0548.png13KB

🖼7ac24c0e.png16KB

🖼87af9da7.png43KB

🖼87e1a6cd.png11KB

🖼92eb72bb.png11KB

🖼cba698d4.png17KB

🖼cfbf1b4d.png13KB

🖼d52f4e40.png17KB

🖼d9f748e1.png31KB

🖼e62e63ea.png15KB

🖼e7f89a3d.png36KB

🖼e83f2cdc.png12KB

▾📁js1.3MB

📜1ca0cff5.js34KB

📜39c31d31.js984B

📜3d53f80e.js845KBlarge

📄3d53f80e.js.LICENSE.txt245B

📜58411b26.js6KB

📄58411b26.js.LICENSE.txt83B

📜889d4764.js36KB

📜8c5da7cc.js364KBlarge

📄8c5da7cc.js.LICENSE.txt3KB

📜9346e906.js144B

📜c8300634.js12KB

📜e8c141a8.js10KB

📜f03c3887.js872B

▾📁chat465KB

📜chat-6f291589.js464KBlarge

🌐index.html665B

▾📁find-password21KB

📜find-password.js21KB

🌐index.html386B

▾📁icon11KB

🖼basic128.png6KB

🖼basic32.png1KB

🖼basic96.png4KB

▾📁images1.2MB

🖼0.46cff52.svg27KB

🖼1.c6a8a92.png648B

🖼10.41414fe.svg27KB

🖼15.541edc8.svg28KB

🖼2.f260bed.png1KB

🖼20.7dc2d60.svg27KB

🖼25.b869696.svg27KB

🖼3.ca68e72.png484B

🖼4.e5f22bb.png2KB

🖼5.9ede8df.png1KB

🖼6.670ed54.png1KB

🖼added.e27311a.svg1KB

🖼alarm.12375fc.png1KB

🖼alipay.a232b6a.png7KB

🖼all.056e60b.png8KB

🖼application.87292f2.svg1KB

🖼arrow-right.d51ffb7.svg1KB

🖼arrow.1799f5d.png1KB

🖼arrow.4401490.svg1KB

🖼arrow.4ee035b.png173B

🖼arrow.f15849d.png392B

🖼arrow_qr_code.8fe97e0.png428B

🖼avator.d181190.png5KB

🖼barn-images.06fdb09.png2KB

🖼bing.63f1e9a.png2KB

🖼bold.08bc468.png866B

🖼boy.a9d76a0.svg2KB

🖼chrome.b915791.png2KB

🖼chrome_app.a4185a5.png2KB

🖼clear.31d5f14.png667B

🖼close-fff.a7cbff9.svg849B

🖼close.0d8a2c5.svg834B

🖼close.5575d99.png492B

🖼close.5f38fbc.png246B

🖼close.b9682ba.png390B

🖼color.321ebce.jpg2KB

🖼custom.469c6c9.svg2KB

🖼defaultapp.d47f3f3.png5KB

🖼del.20d8e3b.svg1KB

🖼douban_icon.a2ee6f8.png1KB

🖼edge.ef8e0f9.png2KB

🖼edit.064f8e9.svg1KB

🖼edit.1f58dcd.svg1KB

🖼edit.39cf929.png2KB

🖼education.eefa8c2.svg2KB

🖼empty.1b04259.png1KB

🖼empty.6075087.png5KB

🖼empty.adec9ea.png4KB

🖼empty.c781995.png2KB

🖼empty_list.c352bfa.png921B

🖼error.7c8e11f.png1KB

🖼error.cb0c05c.png1KB

🖼error.f782e7c.png558B

🖼extension.9c1d873.png2KB

🖼extfans.d471fcf.png1KB

🖼facebook-bg.10b1b46.png4KB

🖼facebook_icon.8214bbc.png564B

🖼femael.fe86af2.png1KB

🖼finance.ecb9742.svg4KB

🖼firefox.6bc945d.png5KB

🖼free-nature-stock.055d792.png4KB

🖼games.d0c6657.svg2KB

🖼girl.7feefef.svg2KB

🖼gmail.a53275a.png6KB

🖼google_icon.e6f4a7e.png913B

🖼holder.de15c91.png4KB

🖼home.483cb16.png979B

🖼icon-backup.b9c87b9.svg3KB

🖼icon-download.1ceeaa3.svg2KB

🖼icon.196b87f.svg24KB

🖼icon_facebook.5e5a555.png472B

🖼icon_google.5a5277b.png918B

🖼icon_qq.dc39b28.png928B

🖼icon_sina.05f30d5.png1KB

🖼icon_wechat.24b00c8.png1KB

🖼iconfont.919d651.svg53KB

🖼infinity.a805a8d.png5KB

🖼item_1.8b1e737.png9KB

🖼item_2.f6e1bf0.png12KB

🖼item_3.d04a54a.png2KB

🖼jay-mantri.c4e3fad.png2KB

🖼left.050db11.png290B

🖼libraryMask.124c230.jpg11KB

🖼life-of-pix.8d05ce1.png2KB

🖼life_style.4460e9b.svg3KB

🖼link.15a4941.svg2KB

🖼link.e1e6090.png820B

🖼linked_icon.81a2e4d.png800B

🖼location.6694f8a.png1KB

🖼male.72d961f.png1KB

🖼min.2ddeb34.png1KB

🖼mmt.4fd5f2c.png2KB

🖼mobile.2e898a9.svg1KB

🖼more.8e47811.svg1KB

🖼music_video.605f663.svg2KB

🖼networkerr.ab12fcc.png4KB

🖼news.eee6b7c.svg2KB

🖼next.42c899e.svg2KB

🖼no-result.80a1e8b.png1KB

🖼not_support.b1f9155.png2KB

🖼note.d7ede44.png3KB

🖼nothing.a498ad3.png3KB

🖼others.29c4520.svg2KB

🖼pad.ad04b17.svg1KB

🖼payment.bdef3b5.png152KB

🖼pc.2c24744.svg1KB

🖼permission_img.1fa8fa6.svg4KB

🖼photos.0a1f40b.svg2KB

🖼pic.ce6b6ab.png627B

🖼picography.23b7fc6.png2KB

🖼plus.9b73992.png1KB

🖼popular.37b00cd.svg1KB

🖼pwd-hide.a8bf451.svg3KB

🖼pwd-show.df8adfc.svg1KB

🖼qq-bg.e497f75.png5KB

🖼qq_group.35acb4d.svg47KB

🖼qq_icon.cc7a6d4.png1019B

🖼question.b0f36f5.svg2KB

🖼read.59ac46b.svg2KB

🖼realistic-shots.fe0d48a.png4KB

🖼recommand.163ee25.png2KB

🖼refresh.6bb41c0.svg3KB

🖼refresh.fbac946.svg1KB

🖼remind.896ff6f.png877B

🖼remove-account.dbff389.svg2KB

🖼return.3d3d9a3.svg1KB

🖼right.7c65f69.png327B

📄ring.41b6b93.mp319KB

🖼search.1ffd553.png1KB

🖼search_result.2f0ee91.svg2KB

🖼setting.9bb7a8a.png2KB

🖼share_by_user.6dc1594.svg2KB

🖼shopping.9a830b3.svg1KB

🖼skitter-photo.f0d1f9c.png5KB

🖼social.4dcfc82.svg3KB

🖼spin.053f510.svg3KB

🖼spin.f9360d9.svg3KB

🖼spinner.86352cb.svg3KB

🖼spinner.c9f85c6.gif63KB

🖼sports.7b38f0b.svg1KB

🖼star.0b91ef6.png635B

🖼startup-stock-photos.f18e9f1.png2KB

🖼success.00a4a1f.svg950B

🖼tech.5a20545.svg2KB

🖼tips.c8b5b9a.svg1KB

🖼tips_arrow.d9a55b8.png199B

🖼todo.c7b213b.png4KB

🖼toggler.7d56d56.svg747B

🖼top.79df55b.png1012B

🖼twitter_icon.9cd5d0f.png1KB

🖼unsplash.40b97f2.png2KB

🖼user-bg1.519670c.png118KB

🖼user-bg3.85b6f67.png143KB

🖼wallpaper.c4eff18.webp216KB

🖼wallpaper_download.46fc473.png712B

🖼wenjian.8e31a07.png440B

🖼xinlang_icon.8ede9b1.png1KB

🖼zone_icon.47ae7d6.png1KB

▾📁modify-password21KB

🌐index.html394B

📜modify-password.js21KB

▾📁newtab442KB

🌐index.html16KB

📜newtab.js426KBlarge

▾📁off_screen60KB

🌐index.html140B

📜off_screen.js60KBlarge

▾📁popup633KB

🌐index.html721B

📜popup.js632KBlarge

▾📁reset-password21KB

🌐index.html390B

📜reset-password.js21KB

▾📁user-register21KB

🌐index.html386B

📜user-register.js21KB

▾📁user-setting21KB

🌐index.html388B

📜user-setting.js21KB

▾📁vendor142KB

📜color-picker.min.js44KB

📜color-thief.min.js6KB

📜vue.min.js91KBlarge

📜0.js32KB

📜1.js49KB

📜10.js378B

📜14.js1.1MBlarge

📜2.js18KB

📜22.js430KBlarge

📜23.js375KBlarge

📜24.js368KBlarge

📜25.js369KBlarge

📜26.js371KBlarge

📜27.js25KB

📜28.js16KB

📜29.js42KB

📜3.js46KB

📜30.js7KB

📜31.js12KB

📜32.js15KB

📜33.js3KB

📜34.js493B

📜35.js3KB

📜36.js5KB

📜37.js4KB

📜38.js268B

📜39.js7KB

📜4.js49KB

📜40.js2KB

📜41.js46KB

📜42.js5KB

📜5.js6KB

📜6.js49KB

📜7.js94KBlarge

📜8.js36KB

📜9.js2KB

📜background.js282KBlarge

📜content_scripts.js1KB

{}manifest.json1KB

📜serviceworker.js328KBlarge

{
"summary": "Infinity New Tab is a productivity-focused Chrome extension that redefines the browser's default start page by integrating tools for note-taking, task management, weather updates, and history tracking. It aims to consolidate daily utilities into a minimalist interface while offering cloud synchronization for data backup. With over 300,000 users, it serves power users seeking a highly customizable dashboard without leaving their browser.",
"permissions": [
{
"name": "activeTab",
"user_explanation": "Allows the extension to interact with the currently open tab, such as injecting icons or detecting when you are on a specific site like Gmail.",
"technical_note": "Enables access to the current document's DOM and execution context. Attack surface includes potential for reading page content if not strictly scoped, though often necessary for UI injection.",
"aligned": true,
"concern": false
},
{
"name": "storage",
"user_explanation": "Lets the extension save your settings, notes, and task lists locally within Chrome so they persist after you close the browser.",
"technical_note": "Accesses chrome.storage.local and chrome.storage.sync. If compromised, an attacker could read or modify local user preferences and cached data.",
"aligned": true,
"concern": false
},
{
"name": "unlimitedStorage",
"user_explanation": "Permits the extension to store large amounts of data (like extensive note history) beyond the default 5MB limit.",
"technical_note": "Removes the 5MB cap on chrome.storage.local. Increases the potential impact of a storage-based denial-of-service or data exfiltration attack if the storage is breached.",
"aligned": true,
"concern": false
},
{
"name": "notifications",
"user_explanation": "Enables the extension to show pop-up alerts for email reminders or weather updates on your desktop.",
"technical_note": "Allows creation of chrome.notifications objects. Misuse could lead to phishing notifications that trick users into clicking malicious links.",
"aligned": true,
"concern": false
},
{
"name": "bookmarks",
"user_explanation": "Gives the extension access to your saved bookmarks, likely to display them on the new tab page or manage them.",
"technical_note": "Accesses chrome.bookmarks API. A compromised extension could harvest your list of visited sites and favorite links for profiling or redirecting traffic.",
"aligned": true,
"concern": false
},
{
"name": "history",
"user_explanation": "Allows the extension to read your browsing history to display a timeline of recently visited pages on the new tab page.",
"technical_note": "Accesses chrome.history API. This is a high-risk permission as it reveals every site you have ever visited, which could be used for tracking or targeted advertising if leaked.",
"aligned": true,
"concern": false
},
{
"name": "management",
"user_explanation": "Enables the extension to manage other extensions (e.g., hiding them from the toolbar) and view installed add-ons.",
"technical_note": "Accesses chrome.management API. This is a powerful permission that allows an extension to disable or uninstall other extensions, potentially locking users out of security tools.",
"aligned": true,
"concern": false
},
{
"name": "offscreen",
"user_explanation": "Allows the extension to run background processes that stay alive even when no tabs are open, ensuring features like sync work in the background.",
"technical_note": "Creates offscreen documents for long-running tasks. Increases resource consumption and potential attack surface if the process is hijacked.",
"aligned": true,
"concern": false
},
{
"name": "search",
"user_explanation": "Permits the extension to suggest search engines or handle search queries directly from the new tab page.",
"technical_note": "Accesses chrome.search API. Allows modification of default search providers and handling of query strings, which could be used for keyword injection attacks.",
"aligned": true,
"concern": false
},
{
"name": "topSites",
"user_explanation": "Lets the extension display a list of your most frequently visited websites on the new tab page.",
"technical_note": "Accesses chrome.topSites API. Similar to history, this reveals browsing habits but is generally considered low risk as it only lists domains, not full URLs or content.",
"aligned": true,
"concern": false
},
{
"name": "favicon",
"user_explanation": "Allows the extension to fetch and display small icons for websites on your new tab page.",
"technical_note": "Accesses chrome.favicon API. Low risk; primarily used for UI rendering. Does not expose sensitive data but confirms access to site metadata.",
"aligned": true,
"concern": false
}
],
"data_exposure": {
"summary": "The extension collects browsing history, bookmarks, and search queries to populate its dashboard. It sends this data to several external domains including Google services (mail.google.com), Baidu (suggestion.baidu.com), and third-party analytics or image hosts like sovrn.co and infinityicon.infinitynewtab.com.",
"technical": "Network requests are made to: infinityicon.infinitynewtab.com, polymer.github.io, www.w3.org, www.google.com, infinity-permanent.infinitynewtab.com, mail.google.com, sovrn.co, api.inftab.com, api-infinitynewtab-com.test690.com, suggestion.baidu.com, google.com. Protocols appear to be standard HTTPS (implied by domain structure), though specific encryption status per endpoint requires inspection of the actual request headers. Data types exposed include browsing history entries, bookmark URLs, and potentially form inputs via monitoring."
},
"findings": [
{
"title": "Dynamic Code Execution Risk",
"severity": "high",
"user_explanation": "The extension uses a technique called 'Function constructor' to run code that is built as text strings rather than written directly. This makes it harder for users to read and verify what the code actually does.",
"technical_detail": "Pattern: new Function('...') or eval() usage detected in service worker. Risk vector: If an attacker can inject a string into this function (e.g., via XSS), they could execute arbitrary JavaScript with the extension's elevated privileges.",
"legitimate_use": "Often used to dynamically generate UI components or handle complex logic that changes frequently without updating the source file.",
"concern": true
},
{
"title": "Potential Cross-Site Scripting (XSS) Vector",
"severity": "medium",
"user_explanation": "The extension assigns HTML content directly to web pages using innerHTML. If the extension pulls data from an untrusted source, it could accidentally inject malicious scripts into your browser.",
"technical_detail": "Pattern: element.innerHTML = user_input. Risk vector: Stored XSS or Reflected XSS if the input is not sanitized before assignment. Attack scenario: An attacker hosts a page that tricks the extension into loading their content, which then executes in your context.",
"legitimate_use": "Commonly used for rendering dynamic content like weather widgets or news feeds.",
"concern": true
},
{
"title": "Obfuscation Techniques Detected",
"severity": "medium",
"user_explanation": "The code uses tricks like String.fromCharCode and charCodeAt to hide its logic. This makes the code difficult for average users or security researchers to understand.",
"technical_detail": "Pattern: String.fromCharCode(104, 105, 108...) used to reconstruct strings. Risk vector: While not inherently malicious, obfuscation is a hallmark of malware and can hide data exfiltration logic or backdoors from static analysis tools.",
"legitimate_use": "Developers sometimes use this to protect intellectual property or bypass simple content filters, though it is generally discouraged in open-source projects.",
"concern": true
},
{
"title": "Broad Host Permissions",
"severity": "critical",
"user_explanation": "The extension has permission to run on ALL websites (host permissions: <all_urls>). This means it can technically see what you are doing on any site you visit.",
"technical_detail": "Manifest V3 Manifest includes '<all_urls>' or similar broad host patterns. Risk vector: If the service worker is compromised, an attacker could monitor keystrokes on banking sites, read cookies from social media, or inject ads/phishing pages on every site.",
"legitimate_use": "Required for extensions that need to function globally (like ad blockers or password managers), but increases the attack surface significantly.",
"concern": true
},
{
"title": "Extension Management Capability",
"severity": "medium",
"user_explanation": "The extension can manage other extensions, meaning it could theoretically disable security tools you have installed.",
"technical_detail": "Pattern: chrome.management.getAll() or chrome.management.remove(). Risk vector: An attacker with this permission could disable your antivirus extension or password manager to facilitate a breach.",
"legitimate_use": "Used for 'extension managers' that allow users to hide extensions from the toolbar or organize them into folders.",
"concern": true
},
{
"title": "Hardcoded Secret Potential",
"severity": "medium",
"user_explanation": "Analysis suggests the presence of hardcoded secrets or API keys within the code, which could be exploited by attackers to bypass security checks.",
"technical_detail": "Pattern: String literals containing base64 encoded strings or API tokens found in source. Risk vector: If these are real credentials, they can be extracted and used to impersonate the extension or access backend services directly.",
"legitimate_use": "Sometimes developers accidentally commit secrets during development or use them for internal testing without proper rotation.",
"concern": true
},
{
"title": "Form Input Monitoring",
"severity": "medium",
"user_explanation": "The extension monitors form inputs, which could mean it is capturing data you type into websites.",
"technical_detail": "Pattern: Event listeners on input elements (oninput, onchange). Risk vector: If the event listener reads the value property of an input field without sanitization, it could capture passwords or credit card numbers.",
"legitimate_use": "Used for password managers to detect when a user is typing a password so they can offer auto-fill.",
"concern": true
},
{
"title": "External Script Loading",
"severity": "high",
"user_explanation": "The extension loads scripts from external sources (like polymer.github.io). If these files are compromised, your browser could be infected.",
"technical_detail": "Pattern: <script src='https://...'> or dynamic script injection. Risk vector: Supply chain attack where the external file is replaced with malicious code that executes in the context of the extension.",
"legitimate_use": "Used to load third-party libraries (like Polymer) for building complex UI components without bloating the main package.",
"concern": true
},
{
"title": "Deprecated Obfuscation Methods",
"severity": "info",
"user_explanation": "The code uses older methods like 'unescape' to decode strings, which is unnecessary in modern browsers and indicates poor coding hygiene.",
"technical_detail": "Pattern: unescape() usage. Risk vector: Low direct risk, but indicates the codebase may not be maintained by a security-conscious developer.",
"legitimate_use": "Legacy code retention or compatibility with older environments.",
"concern": false
},
{
"title": "Cross-Origin Communication",
"severity": "info",
"user_explanation": "The extension uses postMessage to talk to other websites, which is a standard way for extensions to interact with web pages.",
"technical_detail": "Pattern: window.postMessage(). Risk vector: Can be abused if the origin checking is not strict (e验证