Security researcher Muneaki Nishimura (nishimunea) of Recruit
Technologies Co., Ltd. reported that the chrome.tabs.update
API for web
extensions allows for navigation to javascript:
URLs without additional
permissions. This can used to elevate privilege for a universal cross-site scripting (XSS)
attack by a malicious web extension. It can also be used to inject content into other
extensions if they load content within browser tabs.