ExtensionPedia
Sider: Chat with all AI: GPT-5, Claude, DeepSeek, Gemini, Grok

Sider: Chat with all AI: GPT-5, Claude, DeepSeek, Gemini, Grok

ChatGPT, DeepSeek, Gemini, Claude, Grok all in one AI sidebar, for AI search, read, and write.

Risk Analysis CVEs Behavioral Detections Permissions Host Permissions Secrets Privacy policy
Send Feedback
Risk Summary

7.1 /10

High Risk

For extension version 5.25.10

Latest Version
Critical Permissions Severity
3 CVEs
Updated Version Age
Manifest V3
Available in Chrome Web Store
Privacy Policy Available
Fair Engagement Rate
CVEs (3)
ID Severity CVSS
CVE-2026-4800

Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function(). Patches: Users should upgrade to version 4.18.0. Workarounds: Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.

Major
8.1
CVE-2026-2950

Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.

Moderate
6.5
CVE-2025-13465

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23

Minor
0
Behavioral Detections

Behavioral Detections

Unlock the full MITRE ATT&CK matrix

Request a Demo
Permissions (12)
Name Severity
Cookies

Extensions with the cookies permission can retrieve and modify cookies (requires host permissions).

Critical
Scripting

Extensions with the scripting permission can inject and execute code in web pages, which can potentially be used for data exfiltration or session hijacking (requires host permissions, available since Manifest V3).

Critical
Declarative Net Request

Extensions with the declarativeNetRequest permission can block network requests without requiring host permissions, and redirect requests and modify headers if it has host permissions.

High
Tab Capture

Extensions with the tabCapture permission can capture the content of any tab. tabCapture needs to be invoked by a user gesture, unless the extension is force-installed, in which case in can capture the screen without user interaction.

High
Tabs

Extensions with the tabs permission can query the url, pendingUrl, title, and favIconUrl of any tab.

High
Unlimited Storage

Extensions with the unlimitedStorage permission have no storage quota restrictions for chrome.storage.local, IndexedDB, Cache Storage, and the Origin Private File System.

High
Alarms

Extensions with the alarms permission can schedule code to run periodically or at a specified time in the future.

Medium
Context Menus

Extensions with the contextMenus permission can add items to the browser's context menu (also known as the right-click menu).

Medium
Off Screen

Use the offscreen API to create and manage offscreen documents.

Medium
Side Panel

Extensions with the sidePanel permission can display content in the browser's side panel alongside the main content of a webpage, enabling a persistent interface that complement the user's browsing journey (available since Manifest V3).

Medium
Storage

Extensions with the storage permission can store and retrieve user data, which can persist even after clearing the cache and browsing history.

Medium
Active Tab

Extensions with the activeTab permission can temporarily access the active tab, including injecting scripts and modifying content, but only when explicitly invoked by a user gesture. Access is revoked when the user closes the tab or navigates away. Compared to <all_urls>, activeTab is safer as it does not grant persistent access.

Low
Host Permissions (2)
<all_urls>
https://*.openai.com/
Secrets

No Secrets Found

No exposed API keys or credentials were detected

Privacy Policy

Privacy Policy

Unlock privacy policy risk assessment

Request a Demo