Mcafee® Web Boost
🔍 Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Blocks auto-playing videos from slowing down your web-browsing experience, allowing you to focus on the content that matters most. Lets you enjoy uninterrupted browsing on YouTube and other video-sharing sites. Adds a simple solution for users who want to take control of their online viewing experience.
Overview
McAfee® Web Boost is a browser extension that speeds up your web-browsing and helps save your data and battery life by stopping annoying auto-playing videos.
By downloading McAfee Web Boost, you agree to our License Agreement and Privacy Notice.
License Agreement:
https://www.mcafee.com/consumer/en-us/policy/global/legal.html?tab=license
Privacy Notice:
https://www.mcafee.com/consumer/en-us/policy/global/legal.html?tab=privacy
Tags
Privacy Practices
Security Analysis — Mcafee® Web Boost
Permissions
Code Patterns Detected
External Connections
Package Contents 71 files · 409KB
What This Extension Does
McAfee Web Boost is a browser extension that stops auto-playing videos, speeds up web-browsing, and saves data and battery life. It's designed for users who want to improve their online experience. However, its broad permissions raise some concerns about data exposure and potential security risks.
Permissions Explained
- webRequestexpected: This permission lets the extension control which websites can load content on your behalf.
Technical: The webRequest API allows the extension to intercept, block, or modify network requests. This includes HTTP and HTTPS requests, as well as WebSocket connections. If compromised, an attacker could inject malicious scripts or steal sensitive data. - declarativeNetRequestexpected: This permission lets the extension block or modify network requests based on predefined rules.
Technical: The declarativeNetRequest API allows the extension to specify which network requests should be blocked or modified. This can include filtering out malicious content, but also raises concerns about potential over-blocking or under-blocking of legitimate traffic. - tabsexpected: This permission lets the extension access and manipulate your browsing history and tabs.
Technical: The tabs API allows the extension to read and write tab metadata, including URLs, titles, and content. This can be used for legitimate purposes like tracking browsing habits or providing recommendations, but also raises concerns about potential data exposure or manipulation of user behavior. - nativeMessagingcheck this: This permission lets the extension communicate with native applications on your device.
Technical: The nativeMessaging API allows the extension to send and receive messages with native applications, which can be used for legitimate purposes like integrating browser functionality with desktop apps. However, this also raises concerns about potential data exposure or exploitation of vulnerabilities in native code. ⚠ 1 - storageexpected: This permission lets the extension store and retrieve data on your device.
Technical: The storage API allows the extension to read and write data in the browser's storage, including cookies, local storage, and session storage. This can be used for legitimate purposes like storing user preferences or tracking browsing habits, but also raises concerns about potential data exposure or manipulation of user behavior. - unlimitedStoragecheck this: This permission lets the extension store an unlimited amount of data on your device.
Technical: The unlimitedStorage API allows the extension to store an arbitrary amount of data in the browser's storage, which can be used for legitimate purposes like storing large amounts of user-generated content. However, this also raises concerns about potential data exposure or manipulation of user behavior. ⚠ 1 - webNavigationexpected: This permission lets the extension control which websites can load content on your behalf.
Technical: The webNavigation API allows the extension to intercept, block, or modify navigation requests. This includes HTTP and HTTPS requests, as well as WebSocket connections. If compromised, an attacker could inject malicious scripts or steal sensitive data. - activeTabexpected: This permission lets the extension access the currently active tab.
Technical: The activeTab API allows the extension to read and write metadata of the currently active tab, including URLs, titles, and content. This can be used for legitimate purposes like tracking browsing habits or providing recommendations, but also raises concerns about potential data exposure or manipulation of user behavior. - alarmscheck this: This permission lets the extension schedule and manage alarms on your device.
Technical: The alarms API allows the extension to schedule and manage alarms, which can be used for legitimate purposes like reminding users of upcoming events or providing notifications. However, this also raises concerns about potential data exposure or exploitation of vulnerabilities in native code. ⚠ 1 - scriptingexpected: This permission lets the extension execute scripts on your behalf.
Technical: The scripting API allows the extension to inject and execute scripts, which can be used for legitimate purposes like providing functionality or tracking browsing habits. However, this also raises concerns about potential data exposure or exploitation of vulnerabilities in script code. - *://*/check this: This permission lets the extension access all websites on the internet.
Technical: The *://*/ permission allows the extension to access any website, which raises significant concerns about potential data exposure or exploitation of vulnerabilities in web code. This is a broad and potentially insecure permission that should be used with caution. ⚠ 1
Your Data
McAfee Web Boost accesses browsing history, tabs, storage, and navigation data on your device. It also sends data to www.siteadvisor.com, home.mcafee.com, schemas.xmlsoap.org, and www.w3.org.
Technical Details
Code Findings
This finding indicates that the extension uses an innerHTML assignment to set content on a webpage. This can potentially be exploited by malicious scripts to inject cross-site scripting (XSS) attacks.
Technical: The extension uses the following code pattern: element.innerHTML = data;. This raises concerns about potential XSS vulnerabilities if user-input data is not properly sanitized.
💡 This pattern is commonly used in legitimate extensions for rendering dynamic content or injecting scripts. However, it requires careful attention to input validation and sanitization to prevent XSS attacks.
This finding indicates that the extension uses the Fetch API for making network requests. This is a common and secure practice for making HTTP requests in modern web development.
Technical: The extension uses the fetch() function to make network requests, which is a secure and modern way of making HTTP requests.
💡 This pattern is commonly used in legitimate extensions for making network requests. It provides a secure and efficient way of communicating with servers.
This finding indicates that the extension has broad host permissions, allowing it to run on all websites. This raises concerns about potential data exposure or exploitation of vulnerabilities in web code.
Technical: The extension uses the *://*/ permission, which allows it to access any website. This is a broad and potentially insecure permission that should be used with caution.
💡 This pattern is commonly used in legitimate extensions for providing functionality or tracking browsing habits. However, it requires careful attention to input validation and sanitization to prevent data exposure or exploitation of vulnerabilities.
This finding indicates that the extension can intercept, block, or modify network requests. This raises concerns about potential data exposure or exploitation of vulnerabilities in web code.
Technical: The extension uses the webRequest and declarativeNetRequest APIs to intercept, block, or modify network requests. This provides a powerful tool for controlling network traffic, but also raises concerns about potential misuse or exploitation of vulnerabilities.
💡 This pattern is commonly used in legitimate extensions for filtering out malicious content or providing recommendations. However, it requires careful attention to input validation and sanitization to prevent data exposure or exploitation of vulnerabilities.
This finding indicates that the extension uses the postMessage API for communicating with other scripts across origins. This is a common and secure practice for making cross-origin requests.
Technical: The extension uses the postMessage() function to communicate with other scripts across origins, which is a secure way of making cross-origin requests.
💡 This pattern is commonly used in legitimate extensions for communicating with other scripts or providing functionality. However, it requires careful attention to input validation and sanitization to prevent data exposure or exploitation of vulnerabilities.
This finding indicates that the extension sets up event listeners for various events. This is a common and secure practice for handling user interactions or tracking browsing habits.
Technical: The extension uses the addEventListener() function to set up event listeners, which is a secure way of handling user interactions or tracking browsing habits.
💡 This pattern is commonly used in legitimate extensions for providing functionality or tracking browsing habits. However, it requires careful attention to input validation and sanitization to prevent data exposure or exploitation of vulnerabilities.
McAfee Web Boost has some concerning permissions and potential security risks, including broad host permissions, potential XSS vectors, and data exposure. While the extension provides legitimate functionality for improving online experience, users should exercise caution when installing and using this extension.
