Pendo Launcher
🔍 Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Overview
Pendo simplifies complex user experiences by bringing automated, personalized guidance to your employees within the software applications they use for work. Just-in-time resources help teams increase productivity and improve compliance, step-by-step guides boost your training efforts, and comprehensive analytics help you understand application usage and behaviors.
The Pendo Launcher browser extension facilitates quick mass deployment of digital adoption solutions to your full suite of employee-facing applications with just a few clicks:
Guidance:
In-app guides deliver training inside software, where work actually gets done
Train more effectively with personalized guidance for different roles
Improve change management and compliance with timely communication
Insights:
Understand application usage with comprehensive analytics
Analyze user behavior to understand causes of friction and increase productivity
Measure training completion and effectiveness to drive improvements
Feedback:
Collect actionable feedback about employee-facing software at scale
Identify common requests to prioritize changes and improve training
Prioritize investments in high-impact system updates
Learn more about Pendo’s digital adoption solutions at https://www.pendo.io/
Tags
Privacy Practices
Security Analysis — Pendo Launcher
Permissions
Code Patterns Detected
External Connections
Package Contents 34 files · 9.3MB
What This Extension Does
The Pendo Launcher browser extension facilitates quick mass deployment of digital adoption solutions to your full suite of employee-facing applications. It simplifies complex user experiences by bringing automated, personalized guidance to employees within software applications they use for work. This extension is suitable for organizations looking to improve productivity and compliance among their employees.
Permissions Explained
- alarmsexpected: This permission allows the extension to display notifications on your browser.
Technical: The extension can access Chrome's alarm system, which enables it to send notifications to the user. This could be used for legitimate purposes such as alerting users about new features or updates. - contextMenusexpected: This permission allows the extension to add custom menu items to your browser's context menu.
Technical: The extension can access Chrome's context menus, which enables it to display additional options in the right-click menu. This could be used for legitimate purposes such as providing quick access to Pendo's features. - declarativeNetRequestWithHostAccessexpected: This permission allows the extension to modify network requests made by your browser.
Technical: The extension can access Chrome's declarative net request API, which enables it to intercept and modify HTTP requests. This could be used for legitimate purposes such as optimizing network performance or blocking malicious content. - identityexpected: This permission allows the extension to access your Google account information.
Technical: The extension can access Chrome's identity API, which enables it to retrieve user data such as email addresses and authentication tokens. This could be used for legitimate purposes such as authenticating users or personalizing their experience. - identity.emailexpected: This permission allows the extension to access your email address.
Technical: The extension can access Chrome's identity API, which enables it to retrieve user data such as email addresses. This could be used for legitimate purposes such as authenticating users or sending notifications. - scriptingexpected: This permission allows the extension to execute scripts in your browser.
Technical: The extension can access Chrome's scripting API, which enables it to run JavaScript code. This could be used for legitimate purposes such as enhancing user experience or providing additional features. - sidePanelexpected: This permission allows the extension to display a panel in your browser's sidebar.
Technical: The extension can access Chrome's side panel API, which enables it to display additional content in the sidebar. This could be used for legitimate purposes such as providing quick access to Pendo's features or displaying notifications. - storageexpected: This permission allows the extension to store data locally on your device.
Technical: The extension can access Chrome's storage API, which enables it to store user data such as preferences or authentication tokens. This could be used for legitimate purposes such as personalizing the user experience or authenticating users. - tabsexpected: This permission allows the extension to access and modify your browser's tabs.
Technical: The extension can access Chrome's tab API, which enables it to retrieve or modify tab data such as URLs or titles. This could be used for legitimate purposes such as enhancing user experience or providing additional features. - webNavigationexpected: This permission allows the extension to intercept and modify your browser's navigation requests.
Technical: The extension can access Chrome's web navigation API, which enables it to intercept and modify HTTP requests. This could be used for legitimate purposes such as optimizing network performance or blocking malicious content. - <all_urls>check this: This permission allows the extension to access all URLs visited by your browser.
Technical: The extension can access Chrome's <all_urls> API, which enables it to intercept and modify HTTP requests for any URL. This could be used for malicious purposes such as tracking user activity or injecting malware. ⚠ 1
Your Data
The extension accesses your email address, stores data locally on your device, and sends data to Pendo's servers. It also intercepts and modifies network requests made by your browser.
Technical Details
Code Findings
The extension uses the execScript function instead of eval, which is a more secure way to execute JavaScript code.
Technical: The extension uses the execScript function in its background script to execute JavaScript code. This is a legitimate use case and does not pose any security risks.
💡 This pattern is commonly used in legitimate extensions to enhance user experience or provide additional features.
The extension uses the charCodeAt function, which could be used for obfuscating code.
Technical: The extension uses the charCodeAt function in its background script to manipulate strings. This could potentially be used for obfuscating code or hiding malicious behavior.
💡 This pattern is commonly used in legitimate extensions to enhance user experience or provide additional features.
The extension creates script elements dynamically, which could be used for malicious purposes such as injecting malware.
Technical: The extension uses the document.createElement function to create script elements dynamically. This is a high-risk behavior and should be reviewed carefully.
💡 This pattern is commonly used in legitimate extensions to enhance user experience or provide additional features.
The extension contains a potential hardcoded secret, which could be used for malicious purposes such as authentication bypass.
Technical: The extension contains a string literal that appears to be a hardcoded secret. This should be reviewed carefully to ensure it is not being used for malicious purposes.
💡 This pattern is commonly used in legitimate extensions to enhance user experience or provide additional features.
The extension creates iframe elements, which could be used for malicious purposes such as injecting malware.
Technical: The extension uses the document.createElement function to create iframe elements dynamically. This is a medium-risk behavior and should be reviewed carefully.
💡 This pattern is commonly used in legitimate extensions to enhance user experience or provide additional features.
The extension uses the postMessage function for cross-origin communication, which could be used for malicious purposes such as data exfiltration.
Technical: The extension uses the postMessage function to communicate with other origins. This is a medium-risk behavior and should be reviewed carefully.
💡 This pattern is commonly used in legitimate extensions to enhance user experience or provide additional features.
The extension sets up event listeners, which could be used for malicious purposes such as tracking user activity.
Technical: The extension uses the addEventListener function to set up event listeners. This is a common pattern in legitimate extensions and does not pose any security risks.
💡 This pattern is commonly used in legitimate extensions to enhance user experience or provide additional features.
The Pendo Launcher browser extension has some concerning behaviors, including the use of <all_urls> permission and potential hardcoded secrets. However, it also uses some secure practices such as using HTTPS encryption for most requests. Users should exercise caution when installing this extension and review its permissions carefully.
