Tampermonkey

Name: Security Analysis: Tampermonkey
Item: Tampermonkey
Rating: 5
Author: ChromeBoard

🔍 Security Report Available

👥 10M+ users

📦 v5.4.1

💾 1.6MiB

📅 2025-11-21

View on Chrome Web Store

Chrome will indicate if you already have this installed.

Blocks annoying ads and trackers with Tampermonkey, a powerful userscript that lets you change the web at will. Ideal for web developers, researchers, and anyone tired of intrusive online content, this extension brings flexibility and control to your browsing experience. Most benefiting from its capabilities are those who spend hours online, such as students, professionals, and enthusiasts.

Overview

Enhance your browsing experience with Tampermonkey! 🌐🚀

Tampermonkey is a versatile browser extension with over 🔟 million users that enhances your browsing experience by allowing you to run userscripts on websites.
Userscripts are small programs that modify page layouts, add or remove features, and automate actions to personalize your web experience.

### 🔑 Key Features: ###

🛠️ Efficiently manage and edit your userscripts
⚡ Swiftly activate and deactivate scripts with just two clicks
🔗 Synchronize scripts using Chrome Sync and various cloud storage services (Google Drive, Dropbox, OneDrive, Yandex.Disk, and WebDAV)
💾 Backup and restore options and userscripts through zip files and/or cloud storage
🔄 Automatic script updates for a seamless experience

For a comprehensive overview, check out our frequently asked questions or simply install the extension. 💡

### 🔍 Discover Userscripts: ###

Find a wide array of userscripts at www.userscript.zone. 🌟

### 📌 Useful Links: ###

🐛 Bug Reports: http://tmnk.net/bug
📝 Full Changelog: http://tmnk.net/changelog.php?ext=dhdg
❓ Frequently Asked Questions: http://tmnk.net/faq
🔎 Userscript Search: https://www.userscript.zone

### 🔐 Data Usage & Privacy: ###

Tampermonkey collects anonymous usage information to improve your experience, such as:

📦 Extension version
🌍 Preferred language
🚫 Script installations for blacklist updates
🖥️ Browser and operating system type

Additionally, error reports containing anonymous information are automatically sent when internal errors occur.
You can disable this feature by adjusting the "Anonymous statistics" setting in the extension. ⚙️

Note: In incognito mode, no usage information is collected or sent. 🕵️‍♂️

For specific functions (e.g., blacklist updates), data from the browser's user-agent string may be collected.
You can disable this by adjusting the "Userscript Blacklist Source" and "Show update notification" settings.

### 📍 Location Data: ###

If either the "Userscript Blacklist Source" or "Show update notification" setting is enabled, Tampermonkey sends HTTP requests, which inherently include your IP address.
Server logs only contain truncated IP addresses. If "Anonymous statistics" is enabled, your IP address helps determine your approximate region or country. 🌏

Thank you for using Tampermonkey! 😃

Privacy Practices

✓ Not being sold to third parties, outside of the approved use cases

✓ Not being used or transferred for purposes that are unrelated to the item's core functionality

✓ Not being used or transferred to determine creditworthiness or for lending purposes

v5.4.1 Info Scanned Mar 4, 2026

Security Analysis — Tampermonkey

Analyzed v5.4.1 · Mar 4, 2026 · 12 JS files · 3135 KB scanned

Permissions

Code Patterns Detected

External Connections

eslint.org www.w3.org github.com www.tampermonkey.net www.googleapis.com api.onedrive.com json-schema.org greasyfork.org sleazyfork.org openuserjs.org gist.github.com api.dropboxapi.com +8 more

Package Contents 84 files · 4.8MB

▾📁_locales1.3MB

▾📁ar45KB

{}messages.json45KB

▾📁be49KB

{}messages.json49KB

▾📁cs25KB

{}messages.json25KB

▾📁da44KB

{}messages.json44KB

▾📁de45KB

{}messages.json45KB

▾📁el58KB

{}messages.json58KB

▾📁en48KB

{}messages.json48KB

▾📁es53KB

{}messages.json53KB

▾📁fr51KB

{}messages.json51KB

▾📁hi53KB

{}messages.json53KB

▾📁hr34KB

{}messages.json34KB

▾📁hu22KB

{}messages.json22KB

▾📁id18KB

{}messages.json18KB

▾📁it52KB

{}messages.json52KB

▾📁ja55KB

{}messages.json55KB

▾📁ko28KB

{}messages.json28KB

▾📁mk58KB

{}messages.json58KB

▾📁nb28KB

{}messages.json28KB

▾📁nl36KB

{}messages.json36KB

▾📁pl30KB

{}messages.json30KB

▾📁pt_BR52KB

{}messages.json52KB

▾📁pt_PT27KB

{}messages.json27KB

▾📁ru67KB

{}messages.json67KB

▾📁sk26KB

{}messages.json26KB

▾📁sr34KB

{}messages.json34KB

▾📁tr42KB

{}messages.json42KB

▾📁uk66KB

{}messages.json66KB

▾📁vi54KB

{}messages.json54KB

▾📁zh_CN39KB

{}messages.json39KB

▾📁zh_TW46KB

{}messages.json46KB

▾📁_metadata11KB

{}verified_contents.json11KB

▾📁images45KB

🖼icon.png689B

🖼icon128.png3KB

🖼icon16.png454B

🖼icon19.png474B

🖼icon24.png632B

🖼icon32.png800B

🖼icon38.png972B

🖼icon48.png971B

🖼icon_blocker16.png672B

🖼icon_blocker19.png800B

🖼icon_blocker24.png1KB

🖼icon_blocker32.png2KB

🖼icon_blocker38.png2KB

🖼icon_forbidden16.png654B

🖼icon_forbidden19.png766B

🖼icon_forbidden24.png1017B

🖼icon_forbidden32.png2KB

🖼icon_forbidden38.png2KB

🖼icon_grey16.png490B

🖼icon_grey19.png539B

🖼icon_grey24.png706B

🖼icon_grey32.png898B

🖼icon_grey38.png1KB

🖼icon_paused16.png640B

🖼icon_paused19.png759B

🖼icon_paused24.png970B

🖼icon_paused32.png1KB

🖼icon_paused38.png2KB

🖼txt.png17KB

▾📁vendor1.4MB

▾📁eslint1.4MB

📄LICENSE1KB

📜eslint.js1.4MBlarge

▾📁jsdiff11KB

📜diff.js11KB

▾📁saveas4KB

📄LICENSE.md1KB

📜filesaver.js3KB

📄LICENSE49B

🌐action.html267B

🌐ask.html370B

🌐background.html166B

📜background.js591KBlarge

📜cache.js2KB

📜content.js42KB

🎨editor.css28KB

📜editor.js401KBlarge

📜extension.js514KBlarge

📜lint.js14KB

{}manifest.json2KB

🌐offscreen.html129B

📜offscreen.js53KBlarge

🌐options.html370B

📜page.js48KB

🎨style.css423KB

📜test.js1B

🌐userscript.html129B

What This Extension Does

Tampermonkey is a browser extension that allows users to run custom scripts on websites, enhancing their browsing experience. It's suitable for power users who want to automate tasks and personalize their web experience.

Permissions Explained

<all_urls>check this: Allows the extension to access all URLs visited by the user, including sensitive information like login credentials.
Technical: Accesses all URLs via Chrome's <all_urls> permission, allowing for potential data exfiltration or unauthorized script execution. ⚠ 1
webRequestcheck this: Allows the extension to intercept and modify HTTP requests made by the user.
Technical: Accesses web requests via Chrome's webRequest API, enabling potential man-in-the-middle attacks or unauthorized data modification. ⚠ 1
webRequestBlockingcheck this: Allows the extension to block HTTP requests made by the user.
Technical: Accesses web request blocking via Chrome's webRequestBlocking API, enabling potential denial-of-service attacks or unauthorized data suppression. ⚠ 1
cookiescheck this: Allows the extension to read and write cookies on behalf of the user.
Technical: Accesses cookies via Chrome's cookies API, enabling potential session hijacking or unauthorized data access. ⚠ 1
notificationscheck this: Allows the extension to display notifications to the user.
Technical: Accesses notifications via Chrome's notifications API, enabling potential phishing attacks or unauthorized data disclosure. ⚠ 1
unlimitedStoragecheck this: Allows the extension to store an unlimited amount of data on behalf of the user.
Technical: Accesses storage via Chrome's unlimitedStorage API, enabling potential data exfiltration or unauthorized data storage. ⚠ 1
tabscheck this: Allows the extension to access and manipulate tabs opened by the user.
Technical: Accesses tabs via Chrome's tabs API, enabling potential tab hijacking or unauthorized data access. ⚠ 1
storagecheck this: Allows the extension to store and retrieve data on behalf of the user.
Technical: Accesses storage via Chrome's storage API, enabling potential data exfiltration or unauthorized data storage. ⚠ 1
scriptingcheck this: Allows the extension to execute scripts on behalf of the user.
Technical: Accesses scripting via Chrome's scripting API, enabling potential code injection or unauthorized data access. ⚠ 1
downloadscheck this: Allows the extension to download files on behalf of the user.
Technical: Accesses downloads via Chrome's downloads API, enabling potential file exfiltration or unauthorized data access. ⚠ 1

Your Data

Tampermonkey collects anonymous usage information, including extension version, preferred language, script installations for blacklist updates, and browser/operating system type. It also sends error reports containing anonymous information when internal errors occur.

Technical Details

The extension contacts the following domains: eslint.org, www.w3.org, github.com, www.tampermonkey.net, www.googleapis.com, api.onedrive.com, json-schema.org, greasyfork.org, sleazyfork.org, openuserjs.org, gist.github.com, and api.dropboxapi.com. It uses HTTP requests to send data, including user-agent strings for specific functions like blacklist updates.

Code Findings

Loads external scripts in service workerHigh

This behavior allows the extension to load external scripts, which could potentially introduce malicious code or unauthorized data access.

Technical: The extension uses a service worker to load external scripts via the fetch API. This enables potential code injection or unauthorized data access.

💡 Loading external scripts is necessary for the extension's functionality, as it allows users to run custom scripts on websites.

innerHTML assignment — potential XSS vectorMedium

This behavior could potentially allow an attacker to inject malicious code into the extension's UI, leading to unauthorized data access or other security issues.

Technical: The extension uses innerHTML assignment in its content script, which enables potential cross-site scripting (XSS) attacks.

💡 innerHTML assignment is commonly used for dynamic UI updates in legitimate extensions.

String.fromCharCode (obfuscation)Medium

This behavior suggests that the extension may be attempting to obfuscate its code, which could make it more difficult for security researchers or users to understand its functionality.

Technical: The extension uses String.fromCharCode to encode strings in its JavaScript files. This is a common technique used for code obfuscation.

💡 Code obfuscation can be used to protect intellectual property or prevent unauthorized access to sensitive information.

Makes XHR requestsInfo

This behavior is normal for extensions that need to communicate with external services, such as APIs or servers.

Technical: The extension makes XMLHttpRequests (XHR) to various domains, including those listed in the data exposure section. This enables communication with external services and APIs.

💡 Making XHR requests is necessary for extensions that need to interact with external services or APIs.

Creates script elements dynamicallyHigh

This behavior could potentially allow an attacker to inject malicious code into the extension's UI, leading to unauthorized data access or other security issues.

Technical: The extension creates script elements dynamically in its content script, which enables potential cross-site scripting (XSS) attacks.

💡 Creating script elements dynamically is necessary for some extensions that need to inject custom scripts into web pages.

Uses postMessage for cross-origin commsMedium

This behavior allows the extension to communicate with other scripts or services across different origins, which could potentially introduce security risks if not properly implemented.

Technical: The extension uses postMessage to send data between its content script and other scripts or services. This enables cross-origin communication, but also introduces potential security risks if not properly implemented.

💡 Using postMessage for cross-origin comms is necessary for some extensions that need to interact with external services or APIs.

Sets up event listenersInfo

This behavior is normal for extensions that need to respond to user interactions or other events.

Technical: The extension sets up event listeners in its content script, which enables it to respond to user interactions and other events.

💡 Setting up event listeners is necessary for extensions that need to interact with web pages or respond to user input.

Bottom Line

Tampermonkey has several security concerns, including excessive permission requests, potential data exfiltration, and unauthorized script execution. While it's a powerful tool for power users, we recommend exercising caution when installing and using this extension.