Zotero ConnectorSecurity Analysis

Extension has cookie access and sends data to external servers — potential session token theft.

Extension intercepts network traffic and sends data externally — potential man-in-the-middle behavior.

Extension manages other extensions and executes dynamic code — behavior consistent with malware dropper.

Extension has access to all sites and captures keyboard input — behavior consistent with a keylogger.

Creates functions from strings, similar to eval(), often used to hide malicious code.

Injects and executes scripts in web pages programmatically.

Manages other extensions, could disable security tools or install malware.

Uses eval() to execute dynamic code, a common technique for obfuscation and code injection.

Listens for keyboard events, a common technique used by keyloggers.

Dynamically creates script elements, potentially loading external malicious code.

Uses data URIs to execute code, bypassing content security policies.

Dynamically sets a script's src attribute to load external code at runtime.

Uses eval() to execute dynamic code — a common vector for code injection.

Mutation XSS bypass allowing script execution

Mutation XSS via namespace confusion

Extension tracks open tabs and communicates with external servers — potential browsing surveillance.

Modifies window.location to redirect the user, potentially to phishing or malicious pages.

Dynamically creates iframe elements, which can be used to load external content or hide malicious UI.

Decodes base64 data, commonly used to hide malicious payloads.

Uses XMLHttpRequest to make network calls.

Line exceeds 5000 characters (entropy: 5.352019590641997)

JavaScript files are exposed as web-accessible resources. Matched websites can load and interact with extension scripts.

Sets innerHTML directly, which can lead to XSS if used with untrusted data.

Encodes data to base64, may be used for data exfiltration.

String with entropy 5.95 bits — may be encoded/encrypted data

object-src is not set to 'none'. Plugins like Flash can be embedded, which may allow code execution.

background.js

lib/dompurify.js

lib/react.js

singlefile.js

ui/ModalPrompt.js