Google Meet Enhanced ExperienceSecurity Analysis

Creates functions from strings, similar to eval(), often used to hide malicious code.

Uses eval() to execute dynamic code, a common technique for obfuscation and code injection.

Dynamically sets a script's src attribute to load external code at runtime.

Dynamically creates script elements, potentially loading external malicious code.

Creates a function from a string (new Function()), similar to eval().

Uses eval() to execute dynamic code — a common vector for code injection.

JavaScript files are accessible to ALL websites. Any page can load and interact with these scripts, enabling web→extension attacks.

Sends messages via Chrome runtime, could communicate with external services.

Decodes base64 data, commonly used to hide malicious payloads.

Uses XMLHttpRequest to make network calls.

Modifies window.location to redirect the user, potentially to phishing or malicious pages.

Line exceeds 5000 characters (entropy: 5.169088969386194)

This extension does not define a Content Security Policy. A CSP helps prevent XSS and code injection attacks.

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

Creates a Web Worker, which runs code in a separate thread — can be used for background computation or crypto mining.

Encodes data to base64, may be used for data exfiltration.