Findings

Broad Host Permissions

Flags items that declare overly broad host access patterns, enabling interaction with all websites. This level of access can be exploited to inject scripts into trusted sites and increases the risk of sensitive data exposure, cross-site surveillance, and credential harvesting.

medium

Unverified Publisher

Flags items published by entities that haven’t gone through the publisher verification process of the marketplace. Lack of verification may indicate higher risk, as the publisher’s identity and trustworthiness are unconfirmed.

medium

Publisher Low Install Count

Flags publishers lacking installs on the marketplace, suggesting concerns about the publisher's reliability.

low

All findings are available for Enterprise users

Code analysis

AI-powered analysis of the extension's source code for security insights and risk assessment.

Extension Purpose and Functionality

This Chrome extension adds custom jump buttons under specified DOM elements on web pages, based on URL patterns defined in a configuration file (config.json). The buttons are designed to facilitate quick navigation or actions related to the current page.

Key Functionalities and Behaviors

Configuration Loading:
- Loads a JSON configuration file (config.json) containing an array of button configurations.
URL Pattern Matching:
- Matches the current page URL against patterns in the configuration, supporting wildcards (*).
DOM Element Selection:
- Uses selectors from the configuration to find elements on the page where buttons should be added.
- Includes a safe querying mechanism to handle potentially problematic CSS selectors.
Button Creation:
- Creates anchor (<a>) elements styled as buttons with an embedded SVG icon.
- Buttons open links in new tabs with noopener noreferrer for security.
Button Click Behavior:
- On click, the button calls an external API (https://gateway.plug4.me/goods-service/spu/google-linkParsingToDetail) with the current page URL and a buy parameter from the config.
- If the API returns a valid result URL, it opens that URL in a new tab.
- If the API call fails or returns no result, it falls back to opening the configured target URL.
DOM Mutation Observers:
- Observes changes in the DOM to handle dynamically loaded content and Single Page Application (SPA) URL changes.
- Re-applies buttons as needed when the page content or URL changes.
Duplicate Prevention:
- Maintains a set of added buttons to avoid adding duplicates.

API Calls

const apiUrl = `https://gateway.plug4.me/goods-service/spu/google-linkParsingToDetail?url=${encodeURIComponent(currentUrl)}&buy=${encodeURIComponent(buyParam)}`;
fetch(apiUrl, { method: 'GET', headers: { 'Content-Type': 'application/json' } })

The extension makes GET requests to an external API hosted on gateway.plug4.me.
The API is queried with the current page URL and a buy parameter.

Network Activity

Communicates with https://gateway.plug4.me.

Filesystem Activity

Loads a local configuration file config.json via chrome.runtime.getURL.

Other Observations

No use of obfuscation techniques beyond standard minification.
No execution of shell commands, PowerShell, or process executions.
No Windows Registry operations, file creation, or user creation.
No clipboard access.

Potential Concerns

The extension relies on an external API (gateway.plug4.me) to determine the final URL to open on button click. This could potentially redirect users to unexpected destinations if the API is compromised or malicious.
However, the extension falls back to a predefined target URL if the API call fails or returns no result.

Summary

The extension enhances web pages by adding navigation buttons based on configurable rules and interacts with an external API to determine navigation targets. It does not exhibit direct malicious behavior such as data exfiltration, code execution, or privilege escalation within the analyzed code.

Permissions

high

tabs

api

Provides access to privileged information about open tabs including URLs, titles, and loading status, beyond basic tab management.

medium

storage

api

Enables persistent data storage for the extension, potentially storing large amounts of user-related information.

low

activeTab

api

Grants temporary access to the current tab's data when triggered by user interaction, limiting scope compared to permanent permissions.

API Calls

API calls detected through static analysis of the source code. For more accurate insights, explore our sandbox dynamic analysis.

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

API CALLS ARE AVAILABLE FOR ENTERPRISE USERS

Secrets

Any encoded/decoded secrets we managed to find in the source code, git repository, or related files

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

SECRETS ARE AVAILABLE FOR ENTERPRISE USERS

Vulnerabilities

Known vulnerabilities and security issues detected in the extension's dependencies and code.

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

VULNERABILITIES ARE AVAILABLE FOR ENTERPRISE USERS

External communication

Any identifiers we detected that may indicate external communication from the item's code

https://gateway.plug4.me/goods-service/spu/google-linkParsingToDetail?url=$

content.js

https://plug4.me/search?q=$

popup-script.js

https://gateway.plug4.me/goods-service/spu/google-linkParsingToDetail

content.js

All external communications are available for Enterprise users

Dependencies

Dependencies and third-party libraries used by the extension, including version information and license details.

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

DEPENDENCIES ARE AVAILABLE FOR ENTERPRISE USERS

Licenses & Compliance

Compliance

Compliance status and certifications for the extension and its publisher

Gmail

Gmail is compliant with GDPR, as indicated by its commitment in contracts regarding the processing of customer personal data in accordance with GDPR regulations. Additionally, Google's status as a parent company supports this compliance, confirmed by certifications such as ISO 27017 for Google Cloud and workplace services.

Compliant

Google LLC

Gmail, which is part of Google LLC, is stated to be ISO/IEC 27001:2022 certified along with its services such as Google Cloud Platform and Google Workspace. The parent company, Alphabet Inc., also benefits from this compliance as it oversees Google LLC.

Compliant

Gmail

Gmail, as a service of Google, is PCI DSS compliant. Google's PCI DSS certification meets the PCI DSS 4.0 compliance standard, assuring that they provide secure handling of cardholder information.

Compliant

Licenses

No license text available...