Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability
Summary
A popular Google Chrome ad block extension for YouTube, with over 10 million installs, has been found to possess the capability to execute arbitrary JavaScript code. This discovery by Island indicates a significant security flaw in an extension that carries a "Featured" badge on the Chrome Web Store.
IFF Assessment
This is bad news for defenders as a widely trusted browser extension with a large user base has been found to have a critical arbitrary script injection vulnerability.
Severity
An arbitrary JavaScript execution capability in a widely deployed browser extension constitutes a high-severity vulnerability. It allows an attacker to inject malicious code into websites visited by users, potentially leading to data theft, session hijacking, or other client-side attacks, with high impact and exploitability.
Defender Context
Defenders and end-users must recognize the supply chain risks associated with browser extensions, even those from seemingly reputable sources or with high install counts. This incident underscores the importance of regularly auditing installed extensions, understanding their permissions, and promptly removing any that are unnecessary or flagged as potentially malicious. It also highlights the broader trend of attackers targeting browser extensions as a vector for client-side compromise.