Samarama | macOS, iOS and iCloud are Apple trademarks.
Description: Wladimir Palant's blog
Home Articles Categories About Read More » Malicious code in PDF Toolbox extension 2023-05-16 security / privacy / add-ons 8 mins 2 comments The PDF Toolbox extension for Google Chrome has more than 2 million users and an average rating of 4,2 in the Chrome Web Store. So I was rather surprised to discover obfuscated code in it that has apparently gone unnoticed for at least a year.
The code has been made to look like a legitimate extension API wrapper, merely with some convoluted logic on top. It takes a closer look to recognize unexpected functionality here, and quite some more effort to understand what it is doing.
This code allows serasearchtop[.]com website to inject arbitrary JavaScript code into all websites you visit. While it is impossible for me to tell what this is being used for, the most likely use is injecting ads. More nefarious uses are also possible however.
Samarama | macOS, iOS and iCloud are Apple trademarks.