Foxified
🔍 Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Overview
Foxified features
Emulation Sandbox
Firefox addons are emulated and served in a sandboxed unique origin.
WebExtension API
Foxified polyfills most of the browser and Chrome APIs including XHR and webextension API
Extra Layer of Protection
All of the permissions are optional and requested upon plugin install
Notes:
- Not all Firefox extensions are supported/compatible. We have only added support for a few APIs that are stable and we are working to add more.
- Foxified does not include analytics or gather any user data by itself. But you should beware when installing guest extensions.
Tags
Privacy Practices
Security Analysis — Foxified
Permissions
Code Patterns Detected
External Connections
Package Contents 125 files · 1.6MB
What This Extension Does
Foxified emulates Firefox extensions in Chrome, Opera, and other Chromium-based browsers. It allows users to install and run Firefox extensions on non-Firefox browsers. This extension is primarily for developers and power users who want to access Firefox-specific features.
Permissions Explained
- alarmsexpected: Allows the extension to schedule notifications and reminders.
Technical: Accesses Chrome's alarm API, allowing the extension to trigger events at specific times. This permission can be used for legitimate purposes such as reminding users about upcoming deadlines or scheduling tasks. - storageexpected: Allows the extension to store and retrieve data on your device.
Technical: Accesses Chrome's storage API, allowing the extension to read and write data in the browser's storage. This permission can be used for legitimate purposes such as storing user preferences or caching data. - unlimitedStorageexpected: Allows the extension to store an unlimited amount of data on your device.
Technical: Accesses Chrome's storage API with elevated permissions, allowing the extension to store large amounts of data. This permission can be used for legitimate purposes such as caching large files or storing user-generated content. - offscreenexpected: Allows the extension to run in the background even when you're not actively using it.
Technical: Accesses Chrome's off-screen tab API, allowing the extension to continue running in the background. This permission can be used for legitimate purposes such as monitoring system resources or performing maintenance tasks. - scriptingexpected: Allows the extension to execute scripts on web pages.
Technical: Accesses Chrome's content script API, allowing the extension to inject and execute scripts on web pages. This permission can be used for legitimate purposes such as enhancing user experience or providing additional functionality. - sidePanelexpected: Allows the extension to display a panel in the browser's sidebar.
Technical: Accesses Chrome's side panel API, allowing the extension to create and manage panels. This permission can be used for legitimate purposes such as providing quick access to frequently used features or displaying system information. - declarativeNetRequestWithHostAccessexpected: Allows the extension to block or modify network requests.
Technical: Accesses Chrome's declarative net request API, allowing the extension to specify rules for blocking or modifying network requests. This permission can be used for legitimate purposes such as blocking ads or protecting against malware. - tabsexpected: Allows the extension to access and manipulate browser tabs.
Technical: Accesses Chrome's tab API, allowing the extension to read and write tab metadata. This permission can be used for legitimate purposes such as organizing tabs or providing quick access to frequently used features. - downloadsexpected: Allows the extension to download files from the internet.
Technical: Accesses Chrome's downloads API, allowing the extension to initiate and manage downloads. This permission can be used for legitimate purposes such as downloading user-generated content or providing quick access to frequently used features. - https://addons.cdn.mozilla.net/user-media/addons/*check this: Allows the extension to access and modify data on Mozilla's servers.
Technical: Accesses a specific domain for user media, allowing the extension to read and write data. This permission is HIGH risk due to its broad scope and potential for unauthorized data access. ⚠ 1
Your Data
Foxified accesses storage on your device and sends data to various domains, including Mozilla's servers. It also makes XHR requests and uses the Fetch API to retrieve data from the internet.
Technical Details
Code Findings
The extension uses innerHTML to assign values to HTML elements, which can be a potential XSS vector if not properly sanitized.
Technical: Code pattern: element.innerHTML = value;. Risk vector: Cross-Site Scripting (XSS). Exploit scenario: An attacker could inject malicious script code into the extension's content scripts.
💡 This pattern is commonly used in legitimate extensions to enhance user experience or provide additional functionality.
The extension uses String.fromCharCode and charCodeAt to obfuscate code, which can make it harder for users to understand what the extension is doing.
Technical: Code pattern: String.fromCharCode( value ); or charCodeAt( index );. Risk vector: Code obfuscation. Exploit scenario: An attacker could use this technique to hide malicious code or evade detection.
💡 This pattern is commonly used in legitimate extensions to compress or encrypt data, but it can also be used for malicious purposes.
The extension makes XHR requests to retrieve data from the internet.
Technical: Code pattern: XMLHttpRequest.open( method, url );. Risk vector: Data exposure. Exploit scenario: An attacker could intercept or manipulate XHR requests to steal sensitive information.
💡 This pattern is commonly used in legitimate extensions to retrieve data from the internet or communicate with servers.
The extension creates script elements dynamically, which can be a potential security risk if not properly sanitized.
Technical: Code pattern: document.createElement( 'script' );. Risk vector: Cross-Site Scripting (XSS). Exploit scenario: An attacker could inject malicious script code into the extension's content scripts.
💡 This pattern is commonly used in legitimate extensions to enhance user experience or provide additional functionality.
The extension runs on all websites, which can be a potential security risk if not properly sanitized.
Technical: Code pattern: document.addEventListener( 'DOMContentLoaded', function() { ... } );. Risk vector: Cross-Site Scripting (XSS). Exploit scenario: An attacker could inject malicious script code into the extension's content scripts.
💡 This pattern is commonly used in legitimate extensions to enhance user experience or provide additional functionality.
The extension has broad host permissions, which can be a potential security risk if not properly sanitized.
Technical: Code pattern: chrome.permissions.request( { 'host': '*' } );. Risk vector: Data exposure. Exploit scenario: An attacker could use this permission to access sensitive information or manipulate data on the user's device.
💡 This pattern is commonly used in legitimate extensions to provide additional functionality or enhance user experience, but it can also be used for malicious purposes.
The extension can block or modify network requests, which can be a potential security risk if not properly sanitized.
Technical: Code pattern: chrome.declarativeNetRequest.onUpdated( function() { ... } );. Risk vector: Data exposure. Exploit scenario: An attacker could use this permission to intercept or manipulate sensitive information.
💡 This pattern is commonly used in legitimate extensions to provide additional functionality or enhance user experience, but it can also be used for malicious purposes.
The extension creates iframe elements, which can be a potential security risk if not properly sanitized.
Technical: Code pattern: document.createElement( 'iframe' );. Risk vector: Cross-Site Scripting (XSS). Exploit scenario: An attacker could inject malicious script code into the extension's content scripts.
💡 This pattern is commonly used in legitimate extensions to enhance user experience or provide additional functionality.
The extension uses postMessage to communicate with other scripts across origins, which can be a potential security risk if not properly sanitized.
Technical: Code pattern: window.postMessage( data, targetOrigin );. Risk vector: Cross-Site Scripting (XSS). Exploit scenario: An attacker could inject malicious script code into the extension's content scripts.
💡 This pattern is commonly used in legitimate extensions to communicate with other scripts or provide additional functionality.
The extension sets up event listeners to respond to user interactions, which can be a potential security risk if not properly sanitized.
Technical: Code pattern: document.addEventListener( 'click', function() { ... } );. Risk vector: Cross-Site Scripting (XSS). Exploit scenario: An attacker could inject malicious script code into the extension's content scripts.
💡 This pattern is commonly used in legitimate extensions to enhance user experience or provide additional functionality.
Foxified has some security concerns due to its broad host permissions, potential XSS vectors, and use of obfuscation techniques. While it provides useful functionality for developers and power users, we recommend exercising caution when installing this extension and regularly reviewing its behavior to ensure it aligns with your expectations.
