Avast Online Security & PrivacySecurity Analysis

Uses eval() to execute dynamic code, a common technique for obfuscation and code injection.

Dynamically creates script elements, potentially loading external malicious code.

JavaScript files are accessible to ALL websites. Any page can load and interact with these scripts, enabling web→extension attacks.

Content script runs at document_start in ALL frames on ALL URLs. This gives the extension deep access to every page load, including iframes.

Extension tracks open tabs and communicates with external servers — potential browsing surveillance.

Uses XMLHttpRequest to make network calls.

Sends messages via Chrome runtime, could communicate with external services.

JavaScript file could not be parsed. May contain obfuscated or minified code.

Line exceeds 5000 characters (entropy: 4.362689238858342)

This extension does not define a Content Security Policy. A CSP helps prevent XSS and code injection attacks.

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

JavaScript files are exposed as web-accessible resources. Matched websites can load and interact with extension scripts.

Content script matches <all_urls>, executing on every website the user visits.

Reads or writes to localStorage, which may contain sensitive site data.

Sets innerHTML directly, which can lead to XSS if used with untrusted data.

client/advisor.js

client/cookie/cookieHandler.js

client/main.js

client/searchResults.js