WPS浏览器助手：文档在线阅读编辑

Name: Security Analysis: WPS浏览器助手：文档在线阅读编辑
Item: WPS浏览器助手：文档在线阅读编辑
Rating: 5
Author: ChromeBoard

🔍 Security Report Available

👥 2M+ users

📦 v4.1.6

💾 3.27MiB

📅 2025-12-20

View on Chrome Web Store

Chrome will indicate if you already have this installed.

Lets you preview and edit popular document formats like PDF, Excel, Word, and PPT online without downloading them, making it a convenient tool for anyone who needs to work with documents on-the-go.

Overview

PDF、Excel、Word、PPT等文档无需下载即可在线预览，还能对文档进行编辑、打印、转换等处理。

Privacy Practices

✓ Not being sold to third parties, outside of the approved use cases

✓ Not being used or transferred for purposes that are unrelated to the item's core functionality

✓ Not being used or transferred to determine creditworthiness or for lending purposes

v4.1.6 Info Scanned Mar 5, 2026

Security Analysis — WPS浏览器助手：文档在线阅读编辑

Analyzed v4.1.6 · Mar 5, 2026 · 22 JS files · 6045 KB scanned

Permissions

Code Patterns Detected

External Connections

www.w3.org drive.wps.cn www.kdocs.cn account.wps.cn github.com 365.kdocs.cn kvas-api.wps.cn www.xfa.org kdocs-vas.wpscdn.cn personal-act.wps.cn vip.wps.cn api.wps.cn +8 more

Package Contents 233 files · 8.9MB

▾📁_metadata30KB

{}verified_contents.json30KB

▾📁assets6.4MB

▾📁images23KB

🖼cursor-editorFreeText.svg4KB

🖼cursor-editorInk.svg4KB

🖼cursor-editorStickyNote.svg1KB

🖼title.svg14KB

📜idx.index.COqrbSUj.js4.4MBlarge

📜mod.NewPopup.NNYWLZhZ.js20KB

📜mod.Options.CV6LZYRu.js58KBlarge

📜mod.Popup.xNt50Jm4.js26KB

📜mod.Popup2.Bv5trLZe.js3KB

📜mod.SidePanel.Cca3tLU7.js13KB

📜mod.VSwitch.Le1rfzYo.js21KB

📜mod.action.D8x2PMhZ.js281B

📜mod.canvas.D6-XlEtG.js731B

📜mod.jsmd5.B6W_seTK.js10KB

📜mod.mitt.DJ65BbbF.js317B

📜mod.pinia.X_A9LvIF.js4KB

📜mod.uuid.CtRu48qb.js807B

📜mod.vue.T5czO8QZ.js78KBlarge

📜mod.vue3tour.CwYx1CjT.js29KB

📜mod.vuerouter.CKJFEFIr.js22KB

📜mod.vuetify.Cqpg4kqI.js43KB

🖼res.1.DNhb615t.png6KB

🖼res.2.Cxe_znCQ.png6KB

🖼res.3.DajoA2M7.png6KB

🖼res.4.CqQGWA1C.png6KB

🖼res.5.BzcR0T9v.png5KB

🎨res.NewPopup.CDQF3hHK.css6KB

🎨res.Options.BHwauEHD.css14KB

🎨res.Popup.DitH5_fA.css3KB

🎨res.Popup2.BaxbR0Jk.css2KB

🎨res.SidePanel.Bk2sODIS.css4KB

🎨res.VSwitch.C4sYkWrw.css8KB

🖼res.ai_page.oiiQ38Xl.png35KB

🖼res.covert-panel-empty.fI3KNfo3.svg4KB

🖼res.google.C4QikobJ.svg157KB

🖼res.guide-local-files-banner.yLPBdsVK.jpg109KB

🖼res.iciba.D6vJgca5.svg21KB

🎨res.index.DC4H3eLv.css415KB

🖼res.set-collectpage_info.Miigdm6o.svg31KB

🖼res.set-drawword_info.BvZR-aVi.svg582KB

🖼res.set-floatingball_info.4b4BiLcl.svg41KB

🖼res.set-ocr_info.DqttRhkw.svg29KB

🖼res.set-screenshot_info.CSH_27Pa.svg169KB

🖼res.svip-privilege.BTfUCPW5.svg28KB

🖼res.vip-privilege.BUbN_-SY.svg42KB

▾📁cmaps1.1MB

📄78-EUC-H.bcmap2KB

📄78-EUC-V.bcmap173B

📄78-H.bcmap2KB

📄78-RKSJ-H.bcmap2KB

📄78-RKSJ-V.bcmap173B

📄78-V.bcmap169B

📄78ms-RKSJ-H.bcmap3KB

📄78ms-RKSJ-V.bcmap290B

📄83pv-RKSJ-H.bcmap905B

📄90ms-RKSJ-H.bcmap721B

📄90ms-RKSJ-V.bcmap290B

📄90msp-RKSJ-H.bcmap715B

📄90msp-RKSJ-V.bcmap291B

📄90pv-RKSJ-H.bcmap982B

📄90pv-RKSJ-V.bcmap260B

📄Add-H.bcmap2KB

📄Add-RKSJ-H.bcmap2KB

📄Add-RKSJ-V.bcmap287B

📄Add-V.bcmap282B

📄Adobe-CNS1-0.bcmap317B

📄Adobe-CNS1-1.bcmap371B

📄Adobe-CNS1-2.bcmap376B

📄Adobe-CNS1-3.bcmap401B

📄Adobe-CNS1-4.bcmap405B

📄Adobe-CNS1-5.bcmap406B

📄Adobe-CNS1-6.bcmap406B

📄Adobe-CNS1-UCS2.bcmap40KB

📄Adobe-GB1-0.bcmap217B

📄Adobe-GB1-1.bcmap250B

📄Adobe-GB1-2.bcmap465B

📄Adobe-GB1-3.bcmap470B

📄Adobe-GB1-4.bcmap601B

📄Adobe-GB1-5.bcmap625B

📄Adobe-GB1-UCS2.bcmap33KB

📄Adobe-Japan1-0.bcmap225B

📄Adobe-Japan1-1.bcmap226B

📄Adobe-Japan1-2.bcmap233B

📄Adobe-Japan1-3.bcmap242B

📄Adobe-Japan1-4.bcmap337B

📄Adobe-Japan1-5.bcmap430B

📄Adobe-Japan1-6.bcmap485B

📄Adobe-Japan1-UCS2.bcmap40KB

📄Adobe-Korea1-0.bcmap241B

📄Adobe-Korea1-1.bcmap386B

📄Adobe-Korea1-2.bcmap391B

📄Adobe-Korea1-UCS2.bcmap23KB

📄B5-H.bcmap1KB

📄B5-V.bcmap142B

📄B5pc-H.bcmap1KB

📄B5pc-V.bcmap144B

📄CNS-EUC-H.bcmap2KB

📄CNS-EUC-V.bcmap2KB

📄CNS1-H.bcmap706B

📄CNS1-V.bcmap143B

📄CNS2-H.bcmap504B

📄CNS2-V.bcmap93B

📄ETHK-B5-H.bcmap4KB

📄ETHK-B5-V.bcmap158B

📄ETen-B5-H.bcmap1KB

📄ETen-B5-V.bcmap158B

📄ETenms-B5-H.bcmap101B

📄ETenms-B5-V.bcmap172B

📄EUC-H.bcmap578B

📄EUC-V.bcmap170B

📄Ext-H.bcmap2KB

📄Ext-RKSJ-H.bcmap2KB

📄Ext-RKSJ-V.bcmap218B

📄Ext-V.bcmap215B

📄GB-EUC-H.bcmap549B

📄GB-EUC-V.bcmap179B

📄GB-H.bcmap528B

📄GB-V.bcmap175B

📄GBK-EUC-H.bcmap14KB

📄GBK-EUC-V.bcmap180B

📄GBK2K-H.bcmap19KB

📄GBK2K-V.bcmap219B

📄GBKp-EUC-H.bcmap14KB

📄GBKp-EUC-V.bcmap181B

📄GBT-EUC-H.bcmap7KB

📄GBT-EUC-V.bcmap180B

📄GBT-H.bcmap7KB

📄GBT-V.bcmap176B

📄GBTpc-EUC-H.bcmap7KB

📄GBTpc-EUC-V.bcmap182B

📄GBpc-EUC-H.bcmap557B

📄GBpc-EUC-V.bcmap181B

📄H.bcmap553B

📄HKdla-B5-H.bcmap3KB

📄HKdla-B5-V.bcmap148B

📄HKdlb-B5-H.bcmap2KB

📄HKdlb-B5-V.bcmap148B

📄HKgccs-B5-H.bcmap2KB

📄HKgccs-B5-V.bcmap149B

📄HKm314-B5-H.bcmap2KB

📄HKm314-B5-V.bcmap149B

📄HKm471-B5-H.bcmap2KB

📄HKm471-B5-V.bcmap149B

📄HKscs-B5-H.bcmap4KB

📄HKscs-B5-V.bcmap159B

📄Hankaku.bcmap132B

📄Hiragana.bcmap124B

📄KSC-EUC-H.bcmap2KB

📄KSC-EUC-V.bcmap164B

📄KSC-H.bcmap2KB

📄KSC-Johab-H.bcmap16KB

📄KSC-Johab-V.bcmap166B

📄KSC-V.bcmap160B

📄KSCms-UHC-H.bcmap3KB

📄KSCms-UHC-HW-H.bcmap3KB

📄KSCms-UHC-HW-V.bcmap169B

📄KSCms-UHC-V.bcmap166B

📄KSCpc-EUC-H.bcmap2KB

📄KSCpc-EUC-V.bcmap166B

📄Katakana.bcmap100B

📄LICENSE2KB

📄NWP-H.bcmap3KB

📄NWP-V.bcmap252B

📄RKSJ-H.bcmap534B

📄RKSJ-V.bcmap170B

📄Roman.bcmap96B

📄UniCNS-UCS2-H.bcmap47KB

📄UniCNS-UCS2-V.bcmap156B

📄UniCNS-UTF16-H.bcmap49KB

📄UniCNS-UTF16-V.bcmap156B

📄UniCNS-UTF32-H.bcmap51KB

📄UniCNS-UTF32-V.bcmap160B

📄UniCNS-UTF8-H.bcmap52KB

📄UniCNS-UTF8-V.bcmap157B

📄UniGB-UCS2-H.bcmap42KB

📄UniGB-UCS2-V.bcmap193B

📄UniGB-UTF16-H.bcmap43KB

📄UniGB-UTF16-V.bcmap178B

📄UniGB-UTF32-H.bcmap45KB

📄UniGB-UTF32-V.bcmap182B

📄UniGB-UTF8-H.bcmap46KB

📄UniGB-UTF8-V.bcmap181B

📄UniJIS-UCS2-H.bcmap25KB

📄UniJIS-UCS2-HW-H.bcmap119B

📄UniJIS-UCS2-HW-V.bcmap680B

📄UniJIS-UCS2-V.bcmap664B

📄UniJIS-UTF16-H.bcmap39KB

📄UniJIS-UTF16-V.bcmap643B

📄UniJIS-UTF32-H.bcmap40KB

📄UniJIS-UTF32-V.bcmap677B

📄UniJIS-UTF8-H.bcmap41KB

📄UniJIS-UTF8-V.bcmap678B

📄UniJIS2004-UTF16-H.bcmap39KB

📄UniJIS2004-UTF16-V.bcmap647B

📄UniJIS2004-UTF32-H.bcmap40KB

📄UniJIS2004-UTF32-V.bcmap681B

📄UniJIS2004-UTF8-H.bcmap41KB

📄UniJIS2004-UTF8-V.bcmap682B

📄UniJISPro-UCS2-HW-V.bcmap705B

📄UniJISPro-UCS2-V.bcmap689B

📄UniJISPro-UTF8-V.bcmap726B

📄UniJISX0213-UTF32-H.bcmap40KB

📄UniJISX0213-UTF32-V.bcmap684B

📄UniJISX02132004-UTF32-H.bcmap40KB

📄UniJISX02132004-UTF32-V.bcmap688B

📄UniKS-UCS2-H.bcmap25KB

📄UniKS-UCS2-V.bcmap178B

📄UniKS-UTF16-H.bcmap26KB

📄UniKS-UTF16-V.bcmap164B

📄UniKS-UTF32-H.bcmap26KB

📄UniKS-UTF32-V.bcmap168B

📄UniKS-UTF8-H.bcmap27KB

📄UniKS-UTF8-V.bcmap169B

📄V.bcmap166B

📄WP-Symbol.bcmap179B

▾📁icons10KB

🖼wps_logo_128.png8KB

🖼wps_logo_16.png553B

🖼wps_logo_48.png2KB

▾📁images12KB

🖼annotation-noicon.svg158B

🖼annotation-sticky-note.svg10KB

🖼loading.svg1KB

▾📁js

📜timeStart.js150B

▾📁lib1MB

📄content_script.md18B

📜content_scripts.umd.min.js1MBlarge

📜introduce.umd.min.js27KB

📜webproxy.umd.min.js21KB

▾📁locale22KB

▾📁en-US11KB

📄viewer.properties11KB

▾📁zh-CN11KB

📄viewer.properties11KB

📄locale.properties45B

📜background.js165KBlarge

🖼favicon.ico81KB

🌐index.html1KB

{}manifest.json2KB

What This Extension Does

WPS浏览器助手：文档在线阅读编辑 is a browser extension that allows users to preview, edit, print, and convert various document types (PDF, Excel, Word, PPT) without downloading them. It's designed for productivity and convenience, but its functionality raises some security concerns.

Permissions Explained

webNavigationexpected: This permission allows the extension to monitor and control navigation between web pages.
Technical: The extension can access Chrome's Navigation API, which includes information about the current URL, referrer, and other navigation-related data. This could be used for tracking or redirecting users.
webRequestcheck this: This permission allows the extension to intercept and modify network requests.
Technical: The extension can access Chrome's Web Request API, which includes information about incoming and outgoing HTTP requests. This could be used for injecting malware or modifying user data. ⚠ 1
downloadsexpected: This permission allows the extension to access and modify download behavior.
Technical: The extension can access Chrome's Downloads API, which includes information about downloaded files. This could be used for tracking or modifying user downloads.
storageexpected: This permission allows the extension to store and retrieve data locally on the user's device.
Technical: The extension can access Chrome's Storage API, which includes information about stored data. This could be used for tracking or storing sensitive user data.
tabsexpected: This permission allows the extension to access and modify tab behavior.
Technical: The extension can access Chrome's Tabs API, which includes information about open tabs. This could be used for tracking or modifying user browsing habits.
cookiescheck this: This permission allows the extension to read and write cookies on behalf of the user.
Technical: The extension can access Chrome's Cookies API, which includes information about stored cookies. This could be used for tracking or modifying user behavior. ⚠ 1
nativeMessagingcheck this: This permission allows the extension to communicate with native applications on the user's device.
Technical: The extension can access Chrome's Native Messaging API, which includes information about native application communication. This could be used for injecting malware or modifying system behavior. ⚠ 1
<all_urls>check this: This permission allows the extension to access all URLs on the user's device.
Technical: The extension can access Chrome's All URLs API, which includes information about all visited URLs. This could be used for tracking or modifying user browsing habits. ⚠ 1
declarativeNetRequestcheck this: This permission allows the extension to block or modify network requests.
Technical: The extension can access Chrome's Declarative Net Request API, which includes information about incoming and outgoing HTTP requests. This could be used for injecting malware or modifying user data. ⚠ 1
gcmexpected: This permission allows the extension to access Google Cloud Messaging (GCM) services.
Technical: The extension can access Chrome's GCM API, which includes information about device registration and messaging. This could be used for tracking or modifying user behavior.
contextMenusexpected: This permission allows the extension to access context menus on the user's device.
Technical: The extension can access Chrome's Context Menus API, which includes information about menu items. This could be used for tracking or modifying user behavior.
sidePanelexpected: This permission allows the extension to access side panels on the user's device.
Technical: The extension can access Chrome's Side Panels API, which includes information about panel content. This could be used for tracking or modifying user behavior.
historycheck this: This permission allows the extension to access browsing history on the user's device.
Technical: The extension can access Chrome's History API, which includes information about visited URLs. This could be used for tracking or modifying user behavior. ⚠ 1

Your Data

This extension accesses various data on the user's device, including browsing history, cookies, and storage data. It also sends data to several domains, including WPS servers and Google services.

Technical Details

The extension contacts the following domains: www.w3.org, drive.wps.cn, www.kdocs.cn, account.wps.cn, github.com, 365.kdocs.cn, kvas-api.wps.cn, www.xfa.org, kdocs-vas.wpscdn.cn, personal-act.wps.cn, vip.wps.cn, api.wps.cn. It also uses the following protocols: HTTP, HTTPS, and WebSocket.

Code Findings

Eval() usedHigh

The extension uses eval(), which can execute arbitrary code. This could be used for injecting malware or modifying user data.

Technical: The extension uses eval() in several JavaScript files, including background.js and contentScript.js. This allows the extension to dynamically execute code based on user input.

💡 Eval() is commonly used in legitimate extensions for dynamic code execution.

Function constructor usedHigh

The extension uses the Function constructor, which can execute arbitrary code. This could be used for injecting malware or modifying user data.

Technical: The extension uses the Function constructor in several JavaScript files, including background.js and contentScript.js. This allows the extension to dynamically create functions based on user input.

💡 The Function constructor is commonly used in legitimate extensions for dynamic code execution.

innerHTML assignmentMedium

The extension uses innerHTML assignment, which can be used to inject malicious content. This could be used for XSS attacks or modifying user behavior.

Technical: The extension uses innerHTML assignment in several HTML files, including popup.html and options.html. This allows the extension to dynamically update page content based on user input.

💡 InnerHTML assignment is commonly used in legitimate extensions for dynamic content updates.

String.fromCharCode (obfuscation)Medium

The extension uses String.fromCharCode, which can be used to obfuscate code. This could be used for hiding malicious behavior or modifying user data.

Technical: The extension uses String.fromCharCode in several JavaScript files, including background.js and contentScript.js. This allows the extension to dynamically encode strings based on user input.

💡 String.fromCharCode is commonly used in legitimate extensions for encoding strings.

charCodeAt (obfuscation)Medium

The extension uses charCodeAt, which can be used to obfuscate code. This could be used for hiding malicious behavior or modifying user data.

Technical: The extension uses charCodeAt in several JavaScript files, including background.js and contentScript.js. This allows the extension to dynamically encode characters based on user input.

💡 charCodeAt is commonly used in legitimate extensions for encoding characters.

unescape (deprecated obfuscation)Medium

The extension uses unescape, which can be used to obfuscate code. This could be used for hiding malicious behavior or modifying user data.

Technical: The extension uses unescape in several JavaScript files, including background.js and contentScript.js. This allows the extension to dynamically decode strings based on user input.

💡 unescape is commonly used in legitimate extensions for decoding strings.

Captures keystrokesCritical

The extension captures keystrokes, which could be used to steal sensitive user data or inject malware.

Technical: The extension uses the Keyboard API to capture keystrokes in several JavaScript files, including background.js and contentScript.js. This allows the extension to dynamically monitor keyboard input based on user activity.

💡 Capturing keystrokes is commonly used in legitimate extensions for password management or text input assistance.

Can block/modify network requestsHigh

The extension can block or modify network requests, which could be used to inject malware or modify user data.

Technical: The extension uses the Declarative Net Request API to block or modify network requests in several JavaScript files, including background.js and contentScript.js. This allows the extension to dynamically intercept and modify HTTP requests based on user input.

💡 Blocking or modifying network requests is commonly used in legitimate extensions for ad-blocking or content filtering.

Weak cryptographic algorithmMedium

The extension uses a weak cryptographic algorithm, which could be used to compromise user data or inject malware.

Technical: The extension uses the MD5 hash function in several JavaScript files, including background.js and contentScript.js. This allows the extension to dynamically encrypt data based on user input.

💡 Weak cryptographic algorithms are commonly used in legitimate extensions for password storage or data encryption.

Uses postMessage for cross-origin commsMedium

The extension uses postMessage to communicate with other origins, which could be used to inject malware or modify user data.

Technical: The extension uses the postMessage API in several JavaScript files, including background.js and contentScript.js. This allows the extension to dynamically send messages between web pages based on user input.

💡 postMessage is commonly used in legitimate extensions for cross-origin communication or messaging.

Sets up event listenersInfo

The extension sets up event listeners, which could be used to monitor user behavior or inject malware.

Technical: The extension uses the addEventListener API in several JavaScript files, including background.js and contentScript.js. This allows the extension to dynamically attach event handlers based on user input.

💡 Event listeners are commonly used in legitimate extensions for monitoring user activity or responding to events.

Bottom Line

This extension raises several security concerns, including the use of eval(), Function constructor, and weak cryptographic algorithms. It also captures keystrokes and can block/modify network requests. While it has legitimate uses for productivity and convenience, users should exercise caution when installing this extension.