Google Scholar Button

Name: Security Analysis: Google Scholar Button
Item: Google Scholar Button
Rating: 5
Author: ChromeBoard

🔍 Security Report Available

👥 3M+ users

📦 v3.6

💾 65.68KiB

📅 2024-05-16

View on Chrome Web Store

Chrome will indicate if you already have this installed.

Lets you quickly look up scholarly articles as you browse the web, directly from your browser's address bar or search results. Perfect for researchers, students, and anyone needing to verify information on academic papers. Benefits most those who frequently need to cite sources or find relevant studies in their field of study.

Overview

This extension adds a browser button for easy access to Google Scholar from any web page. Click the Scholar button to:

- Find full text on the web or in your university library. Select the title of the paper on the page you're reading, and click the Scholar button to find it.

- Transfer your query from web search to Scholar. Press the Scholar button to see top three results; click "full screen" at the bottom of the popup to see them all.

- Format references in widely used citation styles. Press the quote button below the result to see a formatted reference and copy it into the paper you're writing.

- Save the article to your Scholar library, so you can read it or cite it later. Press the blue star below the result to save it, or the gray star at the bottom to see all saved articles.

Library links work best when you're on campus. To configure them for off-campus use, visit Google Scholar Settings at https://scholar.google.com/scholar_settings (you may need to login with your library password or to set up your browser to use a library proxy; please visit your library's website or ask a local librarian for assistance).

To search the US case law, click the gear icon at the bottom of the popup, and configure your preferred collection in Google Scholar Settings.

By installing this extension, you agree to the Google Terms of Service and Privacy Policy at https://www.google.com/intl/en/policies/.

Privacy Practices

✓ Not being sold to third parties, outside of the approved use cases

✓ Not being used or transferred for purposes that are unrelated to the item's core functionality

✓ Not being used or transferred to determine creditworthiness or for lending purposes

v3.6 Info Scanned Mar 5, 2026

Security Analysis — Google Scholar Button

Analyzed v3.6 · Mar 5, 2026 · 4 JS files · 24 KB scanned

Permissions

Code Patterns Detected

External Connections

scholar.google.com lh3.googleusercontent.com accounts.google.com

Package Contents 62 files · 105KB

▾📁_locales50KB

▾📁ar2KB

{}messages.json2KB

▾📁bg2KB

{}messages.json2KB

▾📁ca

{}messages.json868B

▾📁cs1KB

{}messages.json1KB

▾📁da

{}messages.json900B

▾📁de

{}messages.json909B

▾📁el3KB

{}messages.json3KB

▾📁en

{}messages.json776B

▾📁es

{}messages.json880B

▾📁es_419

{}messages.json880B

▾📁fa2KB

{}messages.json2KB

▾📁fi

{}messages.json851B

▾📁fil

{}messages.json889B

▾📁fr

{}messages.json943B

▾📁he2KB

{}messages.json2KB

▾📁hi2KB

{}messages.json2KB

▾📁hr

{}messages.json892B

▾📁hu

{}messages.json1021B

▾📁id

{}messages.json784B

▾📁it

{}messages.json855B

▾📁ja1KB

{}messages.json1KB

▾📁ko1KB

{}messages.json1KB

▾📁lt

{}messages.json965B

▾📁lv

{}messages.json1003B

▾📁nl

{}messages.json854B

▾📁no

{}messages.json870B

▾📁pl

{}messages.json904B

▾📁pt_BR

{}messages.json877B

▾📁pt_PT

{}messages.json909B

▾📁ro

{}messages.json978B

▾📁ru2KB

{}messages.json2KB

▾📁sk1KB

{}messages.json1KB

▾📁sl

{}messages.json903B

▾📁sr2KB

{}messages.json2KB

▾📁sv

{}messages.json876B

▾📁th2KB

{}messages.json2KB

▾📁tr

{}messages.json864B

▾📁uk2KB

{}messages.json2KB

▾📁vi1KB

{}messages.json1KB

▾📁zh_CN1KB

{}messages.json1KB

▾📁zh_TW1KB

{}messages.json1KB

▾📁_metadata9KB

{}verified_contents.json9KB

🖼arrow_left_black_24.svg226B

🖼arrow_right_black_24.svg222B

📜authuserscript-compiled.js330B

📜contentscript_isolated-compiled.js10KB

📜contentscript_main-compiled.js241B

🎨disable_promo.css25B

🖼fullscreen_24px.svg258B

{}manifest.json882B

📜popup-compiled.js14KB

🎨popup.css10KB

🌐popup.html213B

🖼scholar128.png2KB

🖼scholar16-tb.png383B

🖼scholar16.png367B

🖼scholar32-tb.png679B

🖼scholar48.png776B

🖼scholar_logo_230x36px.svg4KB

🖼search.svg425B

🖼settings_24px.svg1KB

🖼star_24px.svg251B

What This Extension Does

The Google Scholar Button extension adds a browser button for easy access to Google Scholar from any web page, allowing users to find full text articles, transfer queries, format references, and save articles to their library. This extension is suitable for academics, researchers, and students who frequently use Google Scholar. With over 3 million users, it's essential to evaluate its security posture.

Permissions Explained

storageexpected: This permission allows the extension to store data locally on your device, such as saved articles and library settings.
Technical: The extension uses Chrome's storage API to access local storage, which can be accessed by other extensions or malicious scripts if compromised. This exposes sensitive user data, including library credentials and saved article metadata.
activeTabexpected: This permission enables the extension to access the currently active tab's content, allowing it to perform actions like transferring queries or formatting references.
Technical: The extension uses Chrome's tabs API to access the active tab's content, which can be used to inject malicious scripts or steal sensitive information if compromised. This exposes user browsing data and potentially sensitive information.
scriptingexpected: This permission allows the extension to execute scripts in the context of web pages, enabling features like formatting references or saving articles.
Technical: The extension uses Chrome's content script injection API to inject scripts into web pages, which can be used to inject malicious code or steal sensitive information if compromised. This exposes user browsing data and potentially sensitive information.
*://scholar.google.com/*expected: This permission enables the extension to access Google Scholar's services, including searching for articles and saving them to your library.
Technical: The extension uses a wildcard permission to access all subdomains of scholar.google.com, which can be used to inject malicious scripts or steal sensitive information if compromised. This exposes user browsing data and potentially sensitive information.

Your Data

The extension accesses local storage on your device, including library credentials and saved article metadata. It also sends requests to Google Scholar's services, including searching for articles and saving them to your library.

Technical Details

domains

scholar.google.com
lh3.googleusercontent.com
accounts.google.com

protocols

HTTPS

encryption_status

TLS 1.2

data_types

cookies
tokens
page content

Code Findings

innerHTML assignment — potential XSS vectorMedium

The extension uses innerHTML to inject scripts into web pages, which can be used by attackers to inject malicious code or steal sensitive information.

Technical: The extension's content script injects a script that sets the innerHTML of an element to a user-provided value. This can lead to XSS attacks if the user-provided value is not properly sanitized.

💡 This pattern is commonly used in legitimate extensions to inject scripts into web pages, but it requires proper sanitization and validation to prevent XSS attacks.

charCodeAt (obfuscation)Medium

The extension uses charCodeAt to obfuscate its code, making it harder for users to understand what the extension is doing.

Technical: The extension's JavaScript files use charCodeAt to encode strings, which can make it difficult for security analysts to review and analyze the code.

💡 This pattern is commonly used in legitimate extensions to obfuscate code, but it can also be used by attackers to hide malicious behavior.

Makes XHR requestsInfo

The extension makes HTTP requests to Google Scholar's services, which is a normal behavior for this type of extension.

Technical: The extension uses the XMLHttpRequest API to make GET and POST requests to Google Scholar's services.

💡 This pattern is commonly used in legitimate extensions to access web services and APIs.

Uses postMessage for cross-origin commsMedium

The extension uses postMessage to communicate with other scripts across different origins, which can be used by attackers to inject malicious code or steal sensitive information.

Technical: The extension's content script uses postMessage to send and receive messages with other scripts across different origins.

💡 This pattern is commonly used in legitimate extensions to communicate with other scripts across different origins, but it requires proper validation and sanitization to prevent XSS attacks.

Sets up event listenersInfo

The extension sets up event listeners to respond to user interactions, which is a normal behavior for this type of extension.

Technical: The extension's content script sets up event listeners using the addEventListener API.

💡 This pattern is commonly used in legitimate extensions to respond to user interactions.

Bottom Line

Overall, the Google Scholar Button extension has a moderate security posture. While it uses some potentially insecure patterns like innerHTML assignment and charCodeAt obfuscation, these are not critical vulnerabilities. However, users should be aware of the potential risks associated with these patterns and take necessary precautions to protect their sensitive information.