Screenshot reader™

What This Extension Does

The Screenshot reader™ extension provides screenshot reading support for users of Read&Write for Google Chrome, likely enhancing accessibility features.

Permissions Explained

• activeTab: Allows the extension to access and manipulate the currently active tab in the browser.

+ Standard for extensions that interact with web pages or provide UI enhancements.

• offscreen: Not explicitly described in this report. Typically allows an extension to run scripts on tabs that are not visible, which can be useful for background tasks.

+ Unusual for a user-facing accessibility extension like Screenshot reader™; might indicate additional functionality beyond screenshot reading.

• <all_urls>: Grants the extension permission to access and manipulate any URL, including those with sensitive or restricted content (e.g., internal company websites).

+ Critical risk due to its broad scope. This level of access is unusual for an accessibility-focused extension like Screenshot reader™.

What We Found in the Code

• [high] eval() used — can execute arbitrary code: The use of eval() is a high-risk pattern because it allows execution of arbitrary JavaScript code, which can lead to security vulnerabilities if not properly sanitized. However, without more context (e.g., whether eval() is called with user-provided strings), it's difficult to assess the risk.
• [high] Function constructor used — dynamic code execution: Similar to eval(), using the function constructor for dynamic code execution can pose a security risk if not properly managed. Again, without more context, it's hard to evaluate the specific risk here.
• [medium] innerHTML assignment — potential XSS vector: Assigning HTML content directly to an element's innerHTML property is generally considered a medium-risk pattern because it can lead to cross-site scripting (XSS) vulnerabilities if untrusted data is used. However, in many cases, this is done for UI rendering purposes and not necessarily a security issue.
• [info] Makes HTTP requests: This flag indicates that the extension makes external API calls or communicates with servers. While this is normal behavior for many extensions, it's worth noting for users who might be concerned about data transmission.

External Connections

The extension communicates with several domains:

• www.w3.org, github.com, and unpkg.com are likely used for library dependencies or API calls.
• pajhome.org.uk is associated with a project called "naptha," which seems unrelated to the extension's purpose. This might be an error or an unexpected connection.
• speech.speechstream.net could be related to speech-to-text functionality, aligning with the extension's accessibility focus.
• tessdata.projectnaptha.com, opencollective.com, and pajhome.org.uk are less clear in their relevance without more context.

Things to Consider

Given the Screenshot reader™ extension's purpose as an accessibility tool for Read&Write users, it seems unusual that it requires such broad permissions (e.g., <all_urls>). Users might want to consider whether this level of access is necessary or if there are alternative extensions that achieve similar functionality with more limited permissions. The use of eval() and the function constructor without further context raises some security concerns but should be evaluated in light of the extension's overall behavior and purpose.