An Empirical Study of JavaScript Inclusion Security Issues in Chrome Extensions

TL;DR

This study systematically analyzes JavaScript inclusions in over 36,000 Chrome extensions, revealing security vulnerabilities from remote inclusions and outdated libraries, highlighting potential attack vectors.

Contribution

It provides the first comprehensive measurement and security assessment of JavaScript inclusions in Chrome extensions using static and dynamic analysis.

Findings

22 vulnerable remote JavaScript inclusions identified

Prevalent use of outdated, susceptible libraries

Majority of inclusions from local files, not external sources

Abstract

JavaScript, a scripting language employed to augment the capabilities of web browsers within web pages or browser extensions, utilizes code segments termed JavaScript inclusions. While the security aspects of JavaScript inclusions in web pages have undergone substantial scrutiny, a thorough investigation into the security of such inclusions within browser extensions remains absent, despite the divergent security paradigms governing these environments. This study presents a systematic measurement of JavaScript inclusions in Chrome extensions, employing a hybrid methodology encompassing static and dynamic analysis to identify these inclusions. The analysis of 36,324 extensions revealed 350,784 JavaScript inclusions. Subsequent security assessment indicated that, although the majority of these inclusions originate from local files within the extensions rather than external servers, 22 instances of vulnerable remote JavaScript inclusions were identified. These remote inclusions present potential avenues for malicious actors to execute arbitrary code within the extension's execution context. Furthermore, an analysis of JavaScript library utilization within Chrome extensions disclosed the prevalent use of susceptible and outdated libraries, notably within numerous widely adopted extensions.