Tag Assistant CompanionSecurity Analysis

Injects and executes scripts in web pages programmatically.

Dynamically creates script elements, potentially loading external malicious code.

Object.defineProperty() called on document — can intercept and override built-in browser APIs.

JavaScript files are accessible to ALL websites. Any page can load and interact with these scripts, enabling web→extension attacks.

Sends messages via Chrome runtime, could communicate with external services.

Uses document.write() which can inject arbitrary HTML/scripts into pages.

Makes HTTP requests to external servers, may be used for data exfiltration.

Intercepts form submissions, could capture login credentials.

Decodes base64 data, commonly used to hide malicious payloads.

Line exceeds 5000 characters (entropy: 5.028546369716897)

This extension does not define a Content Security Policy. A CSP helps prevent XSS and code injection attacks.

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

Extension uses tab tracking APIs (onUpdated/query) and communicates with external servers — potential browsing surveillance.

Sets innerHTML directly, which can lead to XSS if used with untrusted data.

Encodes data to base64, may be used for data exfiltration.

Extension accepts messages from 3 external pattern(s). Verify these are trusted origins.

cs/gf/guided_flows_content_script_bin.js

cs/gf/guided_flows_content_script_bin.js