uBlock Origin LiteSecurity Analysis

Extension has access to all sites and captures keyboard input — behavior consistent with a keylogger.

Listens for keyboard events, a common technique used by keyloggers.

Uses eval() to execute dynamic code, a common technique for obfuscation and code injection.

Creates functions from strings, similar to eval(), often used to hide malicious code.

Dynamically creates script elements, potentially loading external malicious code.

Dynamically sets a script's src attribute to load external code at runtime.

Object.defineProperty() called on document — can intercept and override built-in browser APIs.

JavaScript files are accessible to ALL websites. Any page can load and interact with these scripts, enabling web→extension attacks.

Dynamically creates iframe elements, which can be used to load external content or hide malicious UI.

Modifies window.location to redirect the user, potentially to phishing or malicious pages.

Sends messages via Chrome runtime, could communicate with external services.

Decodes base64 data, commonly used to hide malicious payloads.

Uses XMLHttpRequest to make network calls.

Uses document.write() which can inject arbitrary HTML/scripts into pages.

Line exceeds 5000 characters (entropy: 5.1996028079237435)

This extension does not define a Content Security Policy. A CSP helps prevent XSS and code injection attacks.

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

Encodes data to base64, may be used for data exfiltration.

Sets innerHTML directly, which can lead to XSS if used with untrusted data.

Reads or writes to localStorage, which may contain sensitive site data.

rulesets/scripting/generic/annoyances-cookies.js

rulesets/scripting/generic/annoyances-social.js

rulesets/scripting/scriptlet/isolated/ublock-filters.js