extension-scanner.py "Youtube Video Downloader.xpi" --verbose
[i] Analyzing 1 target(s) with minimum severity 'INFO'
[+] Found 1 XPI(s) to analyze
[i] Analyzing XPI: Youtube Video Downloader.xpi

════════════════════════════════════════════════════════════════════════
  XPI ANALYZER — Youtube Video Downloader.xpi
════════════════════════════════════════════════════════════════════════
  Extension Name: YouTube Video Download
  Extension UUID: {8ba275e2-6750-41c3-a944-307e38c2a5e2}
  Overall verdict: CRITICAL RISK

  Findings: 30 CRITICAL  133 HIGH  117 MEDIUM  59 LOW  1 INFO

  ── CRITICAL ──────────────────────────────────────────────────────────
  [CRITICAL] [API_EXFIL_COMBO] includes/facebook_com.js:
      Data collection (keyboard listener) combined with outbound network call in same file — likely exfiltration

  [CRITICAL] [API_EXFIL_COMBO] includes/odnoklassniki_ru.js:
      Data collection (keyboard listener) combined with outbound network call in same file — likely exfiltration

  [CRITICAL] [API_EXFIL_COMBO] js/background.js:
      Data collection (tabs.query({}), tabs.query({})) combined with outbound network call in same file — likely exfiltration

  [CRITICAL] [EXFIL_CHAIN] manifest.json:
      Cross-file exfiltration chain: <all_urls> declared + network call in JS — all page content is accessible for exfiltration
      CODE: Network calls observed in: includes/commons.js, includes/facebook_com.js, includes/mail_ru.js (+3 more)

  [CRITICAL] [JS_OBFUSCATION] includes/astrologyvalley.js:11
      data:image base64 URI assigned to JS variable — likely obfuscated string table hiding C2 URLs or config, not real image data
      CODE: ss="close"><img src="data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMjQiIGhlaWdodD0iMjQiIHZpZXdCb3g9IjAgMCAyNCAyNCIgZmlsbD0ib…
      Context:                     var e = document.createElement("div");
                    e.id = "secondModal", e.classList.add("second-modal");
                    e.innerHTML = '\n      <div class="second-modal__window">\n        <button class="close"><img sr

  [CRITICAL] [JS_OBFUSCATION] includes/astrologyvalley.js:11
      data:image base64 URI assigned to JS variable — likely obfuscated string table hiding C2 URLs or config, not real image data
      CODE: <img\n          src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAT8AAAGQCAYAAADY7GeQAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAA…
      Context:                     var e = document.createElement("div");
                    e.id = "secondModal", e.classList.add("second-modal");
                    e.innerHTML = '\n      <div class="second-modal__window">\n        <button class="close"><img sr

  [CRITICAL] [JS_OBFUSCATION] includes/horoscope.js:11
      data:image base64 URI assigned to JS variable — likely obfuscated string table hiding C2 URLs or config, not real image data
      CODE: ss="close"><img src="data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMjQiIGhlaWdodD0iMjQiIHZpZXdCb3g9IjAgMCAyNCAyNCIgZmlsbD0ib…
      Context:                     var n = document.createElement("div");
                    n.id = "thirdModal", n.classList.add("third-modal");
                    n.innerHTML = '\n    <div class="third-modal__window">\n      <button class="close"><img src="data

  [CRITICAL] [JS_OBFUSCATION] includes/horoscope.js:11
      data:image base64 URI assigned to JS variable — likely obfuscated string table hiding C2 URLs or config, not real image data
      CODE: on>\n      <img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAGIAAAA8CAYAAACdIW+JAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAA…
      Context:                     var n = document.createElement("div");
                    n.id = "thirdModal", n.classList.add("third-modal");
                    n.innerHTML = '\n    <div class="third-modal__window">\n      <button class="close"><img src="data

  [CRITICAL] [JS_OBFUSCATION] includes/link_modifier.js:51
      data:image base64 URI assigned to JS variable — likely obfuscated string table hiding C2 URLs or config, not real image data
      CODE: buttonSrc: "data:image/gif;base64,R0lGODlhEAAQAOZ3APf39+Xl5fT09OPj4/Hx8evr6/3+/u7u7uDh4OPi497e3t7e3/z8/P79/X3GbuXl5ubl5e…
      Context:                         height: "auto"
                    },
                    buttonSrc: "data:image/gif;base64,R0lGODlhEAAQAOZ3APf39+Xl5fT09OPj4/Hx8evr6/3+/u7u7uDh4OPi497e3t7e3/z8/P79/X3GbuXl5ubl5eHg4WzFUfb39+Pj4lzGOV7LOPz7+/n6+vn5+ZTLj9/e387Ozt

  [CRITICAL] [JS_OBFUSCATION] includes/astrology.js:11
      data:image base64 URI assigned to JS variable — likely obfuscated string table hiding C2 URLs or config, not real image data
      CODE: ss="close"><img src="data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMjQiIGhlaWdodD0iMjQiIHZpZXdCb3g9IjAgMCAyNCAyNCIgZmlsbD0ib…
      Context:                     var t = document.createElement("div");
                    t.id = "firstModal", t.classList.add("first-modal");
                    t.innerHTML = '\n    <div class="first-modal__window">\n      <button class="close"><img src="data

  [CRITICAL] [JS_OBFUSCATION] includes/astrology.js:11
      data:image base64 URI assigned to JS variable — likely obfuscated string table hiding C2 URLs or config, not real image data
      CODE: on>\n      <img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAARYAAAEKCAYAAADXWXqvAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAA…
      Context:                     var t = document.createElement("div");
                    t.id = "firstModal", t.classList.add("first-modal");
                    t.innerHTML = '\n    <div class="first-modal__window">\n      <button class="close"><img src="data

  [CRITICAL] [JS_OBFUSCATION] includes/youtube_com.js:572
      data:image base64 URI assigned to JS variable — likely obfuscated string table hiding C2 URLs or config, not real image data
      CODE: ckgroundImage: "url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAEAAAAAFuCAYAAAAB9N1HAAAAAXNSR0IArs4c6QAJJ8NJREFUeNrU/…
      Context:                             marginTop: "20px",
                            marginRight: "12px",
                            backgroundImage: "url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAEAAAAAFuCAYAAAAB9N1HAAAAAXNSR0IArs4c6QAJJ8NJREFUeNrU/dmOL

  [CRITICAL] [JS_OBFUSCATION] includes/youtube_com.js:2778
      data:image base64 URI assigned to JS variable — likely obfuscated string table hiding C2 URLs or config, not real image data
      CODE: src: "data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3Lncz…
      Context:                             append: [ x.A.create("img", {
                                class: "sf-notification-btn",
                                src: "data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW

  [CRITICAL] [JS_OBFUSCATION] includes/youtube_com.js:2827
      data:image base64 URI assigned to JS variable — likely obfuscated string table hiding C2 URLs or config, not real image data
      CODE: src: "data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3Lncz…
      Context:                         append: [ x.A.create("img", {
                            class: "sf-notification-icon",
                            src: "data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwO

  [CRITICAL] [JS_OBFUSCATION] includes/youtube_com.js:2862
      data:image base64 URI assigned to JS variable — likely obfuscated string table hiding C2 URLs or config, not real image data
      CODE: src: "data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmls…
      Context:                         }), x.A.create("img", {
                            class: "sf-notification-close",
                            src: "data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMi

  [CRITICAL] [JS_OBFUSCATION] includes/commons.js:433
      data:image base64 URI assigned to JS variable — likely obfuscated string table hiding C2 URLs or config, not real image data
      CODE: televzr: "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAABN2lDQ1BBZG9iZSBSR0IgKDE5OTgpAAAokZWPv0rD…
      Context:             });
        })), Z = {
            televzr: "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAABN2lDQ1BBZG9iZSBSR0IgKDE5OTgpAAAokZWPv0rDUBSHvxtFxaFWCOLgcCdRUGzVwYxJW4ogWKtDkq1JQ5ViEm6uf/oQjm4dXNx9AidHwUHxCXwDxamDQ4QMBYv

  [CRITICAL] [JS_OBFUSCATION] includes/commons.js:2613
      data:image base64 URI assigned to JS variable — likely obfuscated string table hiding C2 URLs or config, not real image data
      CODE: popupCloseBtn: "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAASCAYAAABWzo5XAAAAWUlEQVQ4y2NgGHHAH4j1sYjrQ+WIAvFA/B…
      Context:                 }
            },
            popupCloseBtn: "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAASCAYAAABWzo5XAAAAWUlEQVQ4y2NgGHHAH4j1sYjrQ+WIAvFA/B+I36MZpg8V+w9VQ9Al/5EwzDBkQ2AYr8uwaXiPQ0yfkKuwGUayIYQMI8kQqhlEFa9RLbCpFv1US5BUzSLDBAA

  [CRITICAL] [JS_OBFUSCATION] includes/commons.js:2813
      data:image base64 URI assigned to JS variable — likely obfuscated string table hiding C2 URLs or config, not real image data
      CODE: ckgroundImage: "url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA0YAAAGaCAYAAAArR1NlAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAA…
      Context:                             zIndex: e + 2,
                            borderRadius: "10px",
                            backgroundImage: "url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA0YAAAGaCAYAAAArR1NlAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAAXNSR0IA

  [CRITICAL] [JS_OBFUSCATION] includes/commons.js:12294
      data:image base64 URI assigned to JS variable — likely obfuscated string table hiding C2 URLs or config, not real image data
      CODE: ht="207" xlink:href="data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAgICAgJCAkKCgkNDgwODRMREBARExwUFhQWFBwrGx8b…
      Context:                     embed: '\n                <svg width="25" height="21" viewBox="0 0 25 21" fill="none" xmlns="http://www.w3.org/2000/svg">\n                    <path d="M9.32402 2L2.46143 10.4L9.32402 18.8M16.2758 2L23.1383 10.4L16.2758 18.8" stro

  [CRITICAL] [JS_OBFUSCATION] includes/commons.js:14132
      data:image base64 URI assigned to JS variable — likely obfuscated string table hiding C2 URLs or config, not real image data
      CODE: e.exports = "data:image/jpeg;base64,/9j/4QxRRXhpZgAATU0AKgAAAAgADQEAAAMAAAABBQAAAAEBAAMAAAABAeQAAAECAAMAAAADAAAAqgEGAAMA…
      Context:     4338: e => {
        "use strict";
        e.exports = "data:image/jpeg;base64,/9j/4QxRRXhpZgAATU0AKgAAAAgADQEAAAMAAAABBQAAAAEBAAMAAAABAeQAAAECAAMAAAADAAAAqgEGAAMAAAABAAIAAAESAAMAAAABAAEAAAEVAAMAAAABAAMAAAEaAAUAAAABAAAAsAEbAAUAAAABAAAAuAEoAAMAAAA

  [CRITICAL] [JS_OBFUSCATION] js/menu.js:346
      data:image base64 URI assigned to JS variable — likely obfuscated string table hiding C2 URLs or config, not real image data
      CODE: e.exports = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAA…
      Context:         363: e => {
            "use strict";
            e.exports = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAAYdEVYdFNvZnR3YXJlAHBhaW50Lm5ldCA0LjAuM4zml

  [CRITICAL] [JS_OBFUSCATION] js/menu.js:350
      data:image base64 URI assigned to JS variable — likely obfuscated string table hiding C2 URLs or config, not real image data
      CODE: e.exports = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAA…
      Context:         69: e => {
            "use strict";
            e.exports = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAAYdEVYdFNvZnR3YXJlAHBhaW50Lm5ldCA0LjAuM4zml1

  [CRITICAL] [JS_OBFUSCATION] js/menu.js:354
      data:image base64 URI assigned to JS variable — likely obfuscated string table hiding C2 URLs or config, not real image data
      CODE: e.exports = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAA…
      Context:         803: e => {
            "use strict";
            e.exports = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAAYdEVYdFNvZnR3YXJlAHBhaW50Lm5ldCA0LjAuM4zml

  [CRITICAL] [JS_OBFUSCATION] js/menu.js:358
      data:image base64 URI assigned to JS variable — likely obfuscated string table hiding C2 URLs or config, not real image data
      CODE: e.exports = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAA…
      Context:         462: e => {
            "use strict";
            e.exports = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAAYdEVYdFNvZnR3YXJlAHBhaW50Lm5ldCA0LjAuM4zml

  [CRITICAL] [JS_OBFUSCATION] js/menu.js:362
      data:image base64 URI assigned to JS variable — likely obfuscated string table hiding C2 URLs or config, not real image data
      CODE: e.exports = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAA…
      Context:         840: e => {
            "use strict";
            e.exports = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAAYdEVYdFNvZnR3YXJlAHBhaW50Lm5ldCA0LjAuM4zml

  [CRITICAL] [JS_OBFUSCATION] js/menu.js:366
      data:image base64 URI assigned to JS variable — likely obfuscated string table hiding C2 URLs or config, not real image data
      CODE: e.exports = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAA…
      Context:         541: e => {
            "use strict";
            e.exports = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAAYdEVYdFNvZnR3YXJlAHBhaW50Lm5ldCA0LjAuM4zml

  [CRITICAL] [JS_OBFUSCATION] js/menu.js:370
      data:image base64 URI assigned to JS variable — likely obfuscated string table hiding C2 URLs or config, not real image data
      CODE: e.exports = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAA…
      Context:         245: e => {
            "use strict";
            e.exports = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAAYdEVYdFNvZnR3YXJlAHBhaW50Lm5ldCA0LjAuM4zml

  [CRITICAL] [JS_OBFUSCATION] js/background.js:4833
      data:image base64 URI assigned to JS variable — likely obfuscated string table hiding C2 URLs or config, not real image data
      CODE: {                 t("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAB90lEQVQ4EcVSy2oUURCtqm7HcYgmY…
      Context:             },
            getUmmyIcon: function(e, t) {
                t("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAB90lEQVQ4EcVSy2oUURCtqm7HcYgmYDTiYxEEERdZGP0B0UVwEcSv8LHIb4gbQcjGlVtB40YhfkAWuhs0uFOIgjJomiEzztzue4+n7rTg

  [CRITICAL] [PNG_APPENDED] img/view.png:
      24268 bytes appended after PNG IEND (entropy=5.73) — classic stego carrier
      CODE: b'\n__begin_view__\nZnVuY3Rpb24gc3RhcnRBZGRyKGEpe2lmKGEpe2lmKCJtZXNz'

  [CRITICAL] [PNG_APPENDED] img/view.png:
      Appended trailer decoded via base64 → 18194 bytes
      CODE: b'm\xe8"\x9e\xf8\x9e\xc1\x99\xd5\xb9\x8d\xd1\xa5\xbd\xb8\x81\xcd\xd1\x85\xc9\xd1\x05\x91\x91\xc8\xa1\x84\xa5\xed\xa5\x98…

  ── HIGH ──────────────────────────────────────────────────────────────
  [HIGH    ] [API_ABUSE] includes/facebook_com.js:727
      Keyboard event listener (keydown/keypress/keyup) — potential keylogger
      CODE: addEventListener("keydown"

  [HIGH    ] [API_ABUSE] includes/odnoklassniki_ru.js:1439
      Keyboard event listener (keydown/keypress/keyup) — potential keylogger
      CODE: addEventListener("keydown"

  [HIGH    ] [API_ABUSE] js/background.js:4845
      tabs.query({}) with no filter — passive surveillance of all open tabs
      CODE: chrome.tabs.query({}

  [HIGH    ] [API_ABUSE] js/background.js:4853
      tabs.query({}) with no filter — passive surveillance of all open tabs
      CODE: chrome.tabs.query({}

  [HIGH    ] [API_ABUSE] js/background.js:4768
      downloads.onChanged listener — download surveillance
      CODE: chrome.downloads.onChanged.addListener

  [HIGH    ] [API_ABUSE] js/background.js:4807
      downloads.onChanged listener — download surveillance
      CODE: chrome.downloads.onChanged.addListener

  [HIGH    ] [BASE64_PAYLOAD] includes/astrologyvalley.js:11
      Base64 payload contains HTTP URL
      CODE: blob[:432]= PHN2ZyB3aWR0aD0iMjQiIGhlaWdodD0iMjQiIHZpZXdCb3g9IjAgMCAyNCAy…

  [HIGH    ] [BASE64_PAYLOAD] includes/astrologyvalley.js:11
      Base64 blob decodes to high-entropy (7.97) binary (22541 bytes) — possible encrypted payload
      CODE: blob= iVBORw0KGgoAAAANSUhEUgAAAT8AAAGQCAYAAADY7GeQAAAACXBIWXMAAAsT…

  [HIGH    ] [BASE64_PAYLOAD] includes/soundcloud_com.js:328
      Base64 blob decodes to high-entropy (6.91) binary (4775 bytes) — possible encrypted payload
      CODE: blob= R0lGODlhHgAeAKUAAAQCBISGhMzKzERCROTm5CQiJKSmpGRmZNza3PT29DQy…

  [HIGH    ] [BASE64_PAYLOAD] includes/horoscope.js:11
      Base64 payload contains HTTP URL
      CODE: blob[:432]= PHN2ZyB3aWR0aD0iMjQiIGhlaWdodD0iMjQiIHZpZXdCb3g9IjAgMCAyNCAy…

  [HIGH    ] [BASE64_PAYLOAD] includes/horoscope.js:11
      Base64 blob decodes to high-entropy (7.83) binary (1766 bytes) — possible encrypted payload
      CODE: blob= iVBORw0KGgoAAAANSUhEUgAAAGIAAAA8CAYAAACdIW+JAAAACXBIWXMAAAsT…

  [HIGH    ] [BASE64_PAYLOAD] includes/horoscope.js:24
      Base64 blob decodes to high-entropy (7.48) binary (4825 bytes) — possible encrypted payload
      CODE: blob= iVBORw0KGgoAAAANSUhEUgAAAooAAAEwCAYAAAAwzVACAAAACXBIWXMAAAsT…

  [HIGH    ] [BASE64_PAYLOAD] includes/link_modifier.js:51
      Base64 blob decodes to high-entropy (7.14) binary (633 bytes) — possible encrypted payload
      CODE: blob= R0lGODlhEAAQAOZ3APf39+Xl5fT09OPj4/Hx8evr6/3+/u7u7uDh4OPi497e…

  [HIGH    ] [BASE64_PAYLOAD] includes/astrology.js:11
      Base64 payload contains HTTP URL
      CODE: blob[:432]= PHN2ZyB3aWR0aD0iMjQiIGhlaWdodD0iMjQiIHZpZXdCb3g9IjAgMCAyNCAy…

  [HIGH    ] [BASE64_PAYLOAD] includes/astrology.js:11
      Base64 blob decodes to high-entropy (7.99) binary (55731 bytes) — possible encrypted payload
      CODE: blob= iVBORw0KGgoAAAANSUhEUgAAARYAAAEKCAYAAADXWXqvAAAACXBIWXMAAAsT…

  [HIGH    ] [BASE64_PAYLOAD] includes/astrology.js:24
      Base64 blob decodes to high-entropy (7.99) binary (298896 bytes) — possible encrypted payload
      CODE: blob= iVBORw0KGgoAAAANSUhEUgAAAsYAAAGQCAYAAACtV6bCAAAACXBIWXMAAAsT…

  [HIGH    ] [BASE64_PAYLOAD] includes/youtube_com.js:572
      Base64 blob decodes to high-entropy (8.00) binary (600073 bytes) — possible encrypted payload
      CODE: blob= iVBORw0KGgoAAAANSUhEUgAAEAAAAAFuCAYAAAAB9N1HAAAAAXNSR0IArs4c…

  [HIGH    ] [BASE64_PAYLOAD] includes/youtube_com.js:2778
      Base64 payload contains HTTP URL
      CODE: blob[:2028]= PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5z…

  [HIGH    ] [BASE64_PAYLOAD] includes/youtube_com.js:2827
      Base64 payload contains HTTP URL
      CODE: blob[:2028]= PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5z…

  [HIGH    ] [BASE64_PAYLOAD] includes/youtube_com.js:2862
      Base64 payload contains HTTP URL
      CODE: blob[:248]= PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRo…

  [HIGH    ] [BASE64_PAYLOAD] includes/commons.js:433
      Base64 payload contains HTTP URL
      CODE: blob[:5036]= iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAABN2lDQ1BBZG9i…

  [HIGH    ] [BASE64_PAYLOAD] includes/commons.js:433
      Base64 blob decodes to high-entropy (7.50) binary (3775 bytes) — possible encrypted payload
      CODE: blob= iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAABN2lDQ1BBZG9i…

  [HIGH    ] [BASE64_PAYLOAD] includes/commons.js:2813
      Base64 blob decodes to high-entropy (7.91) binary (151733 bytes) — possible encrypted payload
      CODE: blob= iVBORw0KGgoAAAANSUhEUgAAA0YAAAGaCAYAAAArR1NlAAAACXBIWXMAAAsT…

  [HIGH    ] [BASE64_PAYLOAD] includes/commons.js:10959
      Base64 payload contains HTTP URL
      CODE: blob[:1496]= PHN2ZyB3aWR0aD0iMTgiIGhlaWdodD0iMTgiIHZpZXdCb3g9IjAgMCAxOCAx…

  [HIGH    ] [BASE64_PAYLOAD] includes/commons.js:12294
      Base64 blob decodes to high-entropy (7.86) binary (4440 bytes) — possible encrypted payload
      CODE: blob= /9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAgICAgJCAkKCgkNDgwODRMREBAR…

  [HIGH    ] [BASE64_PAYLOAD] includes/commons.js:14132
      Base64 payload contains HTTP URL
      CODE: blob[:19832]= /9j/4QxRRXhpZgAATU0AKgAAAAgADQEAAAMAAAABBQAAAAEBAAMAAAABAeQA…

  [HIGH    ] [BASE64_PAYLOAD] includes/commons.js:14132
      Base64 blob decodes to high-entropy (6.88) binary (14873 bytes) — possible encrypted payload
      CODE: blob= /9j/4QxRRXhpZgAATU0AKgAAAAgADQEAAAMAAAABBQAAAAEBAAMAAAABAeQA…

  [HIGH    ] [BASE64_PAYLOAD] js/menu.js:346
      Base64 blob decodes to high-entropy (7.08) binary (519 bytes) — possible encrypted payload
      CODE: blob= iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c…

  [HIGH    ] [BASE64_PAYLOAD] js/menu.js:350
      Base64 blob decodes to high-entropy (7.24) binary (472 bytes) — possible encrypted payload
      CODE: blob= iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c…

  [HIGH    ] [BASE64_PAYLOAD] js/menu.js:354
      Base64 blob decodes to high-entropy (7.35) binary (549 bytes) — possible encrypted payload
      CODE: blob= iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c…

  [HIGH    ] [BASE64_PAYLOAD] js/menu.js:358
      Base64 blob decodes to high-entropy (7.45) binary (601 bytes) — possible encrypted payload
      CODE: blob= iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c…

  [HIGH    ] [BASE64_PAYLOAD] js/menu.js:362
      Base64 blob decodes to high-entropy (7.48) binary (666 bytes) — possible encrypted payload
      CODE: blob= iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c…

  [HIGH    ] [BASE64_PAYLOAD] js/menu.js:366
      Base64 blob decodes to high-entropy (7.54) binary (686 bytes) — possible encrypted payload
      CODE: blob= iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c…

  [HIGH    ] [BASE64_PAYLOAD] js/menu.js:370
      Base64 blob decodes to high-entropy (7.60) binary (791 bytes) — possible encrypted payload
      CODE: blob= iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c…

  [HIGH    ] [BASE64_PAYLOAD] js/background.js:4833
      Base64 blob decodes to high-entropy (7.54) binary (560 bytes) — possible encrypted payload
      CODE: blob= iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAB90lEQVQ4EcVS…

  [HIGH    ] [CLASS_STORAGE_OVERLAP] includes/soundcloud_com.js:
      String literal 'loading' appears both as a JS string in this file and as an HTML class attribute in options.html, popup.html — likely used as a covert stego marker or out-of-band key
      CODE: class='loading' in options.html, popup.html

  [HIGH    ] [CLASS_STORAGE_OVERLAP] includes/facebook_com.js:
      String literal 'facebook' appears both as a JS string in this file and as an HTML class attribute in popup.html — likely used as a covert stego marker or out-of-band key
      CODE: class='facebook' in popup.html

  [HIGH    ] [CLASS_STORAGE_OVERLAP] includes/mail_ru.js:
      String literal 'mailru' appears both as a JS string in this file and as an HTML class attribute in popup.html — likely used as a covert stego marker or out-of-band key
      CODE: class='mailru' in popup.html

  [HIGH    ] [CLASS_STORAGE_OVERLAP] includes/odnoklassniki_ru.js:
      String literal 'dailymotion' appears both as a JS string in this file and as an HTML class attribute in popup.html — likely used as a covert stego marker or out-of-band key
      CODE: class='dailymotion' in popup.html

  [HIGH    ] [CLASS_STORAGE_OVERLAP] includes/odnoklassniki_ru.js:
      String literal 'rutube' appears both as a JS string in this file and as an HTML class attribute in popup.html — likely used as a covert stego marker or out-of-band key
      CODE: class='rutube' in popup.html

  [HIGH    ] [CLASS_STORAGE_OVERLAP] includes/odnoklassniki_ru.js:
      String literal 'odnoklassniki' appears both as a JS string in this file and as an HTML class attribute in popup.html — likely used as a covert stego marker or out-of-band key
      CODE: class='odnoklassniki' in popup.html

  [HIGH    ] [CLASS_STORAGE_OVERLAP] includes/odnoklassniki_ru.js:
      String literal 'youtube' appears both as a JS string in this file and as an HTML class attribute in popup.html — likely used as a covert stego marker or out-of-band key
      CODE: class='youtube' in popup.html

  [HIGH    ] [CLASS_STORAGE_OVERLAP] includes/yandex_music.js:
      String literal 'yandexMusic' appears both as a JS string in this file and as an HTML class attribute in popup.html — likely used as a covert stego marker or out-of-band key
      CODE: class='yandexMusic' in popup.html

  [HIGH    ] [CLASS_STORAGE_OVERLAP] includes/content.js:
      String literal 'module' appears both as a JS string in this file and as an HTML class attribute in popup.html — likely used as a covert stego marker or out-of-band key
      CODE: class='module' in popup.html

  [HIGH    ] [CLASS_STORAGE_OVERLAP] includes/dailymotion_com.js:
      String literal 'dailymotion' appears both as a JS string in this file and as an HTML class attribute in popup.html — likely used as a covert stego marker or out-of-band key
      CODE: class='dailymotion' in popup.html

  [HIGH    ] [CLASS_STORAGE_OVERLAP] includes/youtube_com.js:
      String literal 'youtube' appears both as a JS string in this file and as an HTML class attribute in popup.html — likely used as a covert stego marker or out-of-band key
      CODE: class='youtube' in popup.html

  [HIGH    ] [CLASS_STORAGE_OVERLAP] includes/rutube_ru.js:
      String literal 'rutube' appears both as a JS string in this file and as an HTML class attribute in popup.html — likely used as a covert stego marker or out-of-band key
      CODE: class='rutube' in popup.html

  [HIGH    ] [CLASS_STORAGE_OVERLAP] includes/commons.js:
      String literal 'dailymotion' appears both as a JS string in this file and as an HTML class attribute in popup.html — likely used as a covert stego marker or out-of-band key
      CODE: class='dailymotion' in popup.html

  [HIGH    ] [CLASS_STORAGE_OVERLAP] includes/commons.js:
      String literal 'rocket' appears both as a JS string in this file and as an HTML class attribute in popup.html — likely used as a covert stego marker or out-of-band key
      CODE: class='rocket' in popup.html

  [HIGH    ] [CLASS_STORAGE_OVERLAP] includes/commons.js:
      String literal 'more' appears both as a JS string in this file and as an HTML class attribute in popup.html — likely used as a covert stego marker or out-of-band key
      CODE: class='more' in popup.html

  [HIGH    ] [CLASS_STORAGE_OVERLAP] includes/commons.js:
      String literal 'facebook' appears both as a JS string in this file and as an HTML class attribute in popup.html — likely used as a covert stego marker or out-of-band key
      CODE: class='facebook' in popup.html

  [HIGH    ] [CLASS_STORAGE_OVERLAP] includes/commons.js:
      String literal 'youtube' appears both as a JS string in this file and as an HTML class attribute in popup.html — likely used as a covert stego marker or out-of-band key
      CODE: class='youtube' in popup.html

  [HIGH    ] [CLASS_STORAGE_OVERLAP] includes/commons.js:
      String literal 'loading' appears both as a JS string in this file and as an HTML class attribute in options.html, popup.html — likely used as a covert stego marker or out-of-band key
      CODE: class='loading' in options.html, popup.html

  [HIGH    ] [CLASS_STORAGE_OVERLAP] includes/instagram_com.js:
      String literal 'instagram' appears both as a JS string in this file and as an HTML class attribute in popup.html — likely used as a covert stego marker or out-of-band key
      CODE: class='instagram' in popup.html

  [HIGH    ] [CLASS_STORAGE_OVERLAP] js/options.js:
      String literal 'loading' appears both as a JS string in this file and as an HTML class attribute in options.html, popup.html — likely used as a covert stego marker or out-of-band key
      CODE: class='loading' in options.html, popup.html

  [HIGH    ] [CLASS_STORAGE_OVERLAP] js/menu.js:
      String literal 'facebook' appears both as a JS string in this file and as an HTML class attribute in popup.html — likely used as a covert stego marker or out-of-band key
      CODE: class='facebook' in popup.html

  [HIGH    ] [CLASS_STORAGE_OVERLAP] js/menu.js:
      String literal 'loading' appears both as a JS string in this file and as an HTML class attribute in options.html, popup.html — likely used as a covert stego marker or out-of-band key
      CODE: class='loading' in options.html, popup.html

  [HIGH    ] [CLASS_STORAGE_OVERLAP] js/menu.js:
      String literal 'odnoklassniki' appears both as a JS string in this file and as an HTML class attribute in popup.html — likely used as a covert stego marker or out-of-band key
      CODE: class='odnoklassniki' in popup.html

  [HIGH    ] [CLASS_STORAGE_OVERLAP] js/menu.js:
      String literal 'youtube' appears both as a JS string in this file and as an HTML class attribute in popup.html — likely used as a covert stego marker or out-of-band key
      CODE: class='youtube' in popup.html

  [HIGH    ] [CLASS_STORAGE_OVERLAP] js/menu.js:
      String literal 'enableModule' appears both as a JS string in this file and as an HTML class attribute in popup.html — likely used as a covert stego marker or out-of-band key
      CODE: class='enableModule' in popup.html

  [HIGH    ] [CLASS_STORAGE_OVERLAP] js/menu.js:
      String literal 'module' appears both as a JS string in this file and as an HTML class attribute in popup.html — likely used as a covert stego marker or out-of-band key
      CODE: class='module' in popup.html

  [HIGH    ] [CLASS_STORAGE_OVERLAP] js/menu.js:
      String literal 'plYoutube' appears both as a JS string in this file and as an HTML class attribute in popup.html — likely used as a covert stego marker or out-of-band key
      CODE: class='plYoutube' in popup.html

  [HIGH    ] [CLASS_STORAGE_OVERLAP] js/menu.js:
      String literal 'bookmarklet' appears both as a JS string in this file and as an HTML class attribute in popup.html — likely used as a covert stego marker or out-of-band key
      CODE: class='bookmarklet' in popup.html

  [HIGH    ] [CLASS_STORAGE_OVERLAP] js/background.js:
      String literal 'version' appears both as a JS string in this file and as an HTML class attribute in popup.html — likely used as a covert stego marker or out-of-band key
      CODE: class='version' in popup.html

  [HIGH    ] [CLASS_STORAGE_OVERLAP] js/background.js:
      String literal 'rutube' appears both as a JS string in this file and as an HTML class attribute in popup.html — likely used as a covert stego marker or out-of-band key
      CODE: class='rutube' in popup.html

  [HIGH    ] [CLASS_STORAGE_OVERLAP] js/background.js:
      String literal 'bookmarklet' appears both as a JS string in this file and as an HTML class attribute in popup.html — likely used as a covert stego marker or out-of-band key
      CODE: class='bookmarklet' in popup.html

  [HIGH    ] [CREDENTIALS] js/background.js:195
      Hardcoded secret/token/password
      CODE: token=" + this.accessToken, n = t[0].replace(/[?&]access_token=[^&#]/, "

  [HIGH    ] [CSP] manifest.json:
      Unsafe CSP directive: 'unsafe-eval' — allows code injection
      CODE: script-src 'self' 'unsafe-eval'; object-src 'self';

  [HIGH    ] [HIDDEN_ELEMENT] includes/commons.js:376
      Invisible iframe injected into DOM — silent affiliate ping or C2 channel
      CODE: createElement("iframe"

  [HIGH    ] [HIDDEN_ELEMENT] includes/commons.js:6037
      Invisible iframe injected into DOM — silent affiliate ping or C2 channel
      CODE: createElement("iframe"

  [HIGH    ] [HIDDEN_ELEMENT] includes/commons.js:11559
      Invisible iframe injected into DOM — silent affiliate ping or C2 channel
      CODE: createElement("iframe"

  [HIGH    ] [JS_OBFUSCATION] includes/vimeo_com.js:856
      Function constructor with string — eval equivalent
      CODE: return this || new Function("return this")();         } catch (e) {
      Context:         if ("object" == typeof globalThis) return globalThis;
        try {
            return this || new Function("return this")();
        } catch (e) {
            if ("object" == typeof window) return window;

  [HIGH    ] [JS_OBFUSCATION] includes/astrologyvalley.js:75
      Function constructor with string — eval equivalent
      CODE: return this || new Function("return this")();         } catch (n) {
      Context:         if ("object" == typeof globalThis) return globalThis;
        try {
            return this || new Function("return this")();
        } catch (n) {
            if ("object" == typeof window) return window;

  [HIGH    ] [JS_OBFUSCATION] includes/soundcloud_com.js:460
      Function constructor with string — eval equivalent
      CODE: return this || new Function("return this")();         } catch (A) {
      Context:         if ("object" == typeof globalThis) return globalThis;
        try {
            return this || new Function("return this")();
        } catch (A) {
            if ("object" == typeof window) return window;

  [HIGH    ] [JS_OBFUSCATION] includes/twitch_tv.js:252
      Function constructor with string — eval equivalent
      CODE: return this || new Function("return this")();         } catch (e) {
      Context:         if ("object" == typeof globalThis) return globalThis;
        try {
            return this || new Function("return this")();
        } catch (e) {
            if ("object" == typeof window) return window;

  [HIGH    ] [JS_OBFUSCATION] includes/vkontakte_ru.js:2982
      Function constructor with string — eval equivalent
      CODE: return this || new Function("return this")();         } catch (e) {
      Context:         if ("object" == typeof globalThis) return globalThis;
        try {
            return this || new Function("return this")();
        } catch (e) {
            if ("object" == typeof window) return window;

  [HIGH    ] [JS_OBFUSCATION] includes/vkontakte_ru.js:780
      setTimeout/setInterval with variable argument — indirect eval when variable holds a decoded string payload
      CODE: setTimeout(e, 250);                             }));
      Context:                         }().then((function() {
                            return new Promise((function(e) {
                                setTimeout(e, 250);
                            }));
                        }));

  [HIGH    ] [JS_OBFUSCATION] includes/vkontakte_ru.js:838
      setTimeout/setInterval with variable argument — indirect eval when variable holds a decoded string payload
      CODE: setTimeout(e, 250);
      Context:                                             o[t] = e, r[t] = e, n++;
                                        })), t.onProgress && t.onProgress(n, s), new Promise((e => {
                                            setTimeout(e, 250);
                

  [HIGH    ] [JS_OBFUSCATION] includes/vkontakte_ru.js:954
      setTimeout/setInterval with variable argument — indirect eval when variable holds a decoded string payload
      CODE: setTimeout(e, 250);                                 })).th
      Context:                                 if (!t) throw new Error("Album data is empty!");
                                return new Promise((function(e) {
                                    setTimeout(e, 250);
                                })).then((funct

  [HIGH    ] [JS_OBFUSCATION] includes/facebook_com.js:1177
      Function constructor with string — eval equivalent
      CODE: return this || new Function("return this")();         } catch (e) {
      Context:         if ("object" == typeof globalThis) return globalThis;
        try {
            return this || new Function("return this")();
        } catch (e) {
            if ("object" == typeof window) return window;

  [HIGH    ] [JS_OBFUSCATION] includes/facebook_com.js:727
      keydown listener — could be a keylogger; verify it's UI-related
      CODE: utation || document.addEventListener("keydown", o);
      Context:                                             parent: e,
                                            onShow: function() {
                                                w.isMutation || document.addEventListener("keydown", o);
                         

  [HIGH    ] [JS_OBFUSCATION] includes/mail_ru.js:750
      Function constructor with string — eval equivalent
      CODE: return this || new Function("return this")();         } catch (e) {
      Context:         if ("object" == typeof globalThis) return globalThis;
        try {
            return this || new Function("return this")();
        } catch (e) {
            if ("object" == typeof window) return window;

  [HIGH    ] [JS_OBFUSCATION] includes/odnoklassniki_ru.js:1635
      Function constructor with string — eval equivalent
      CODE: return this || new Function("return this")();         } catch (e) {
      Context:         if ("object" == typeof globalThis) return globalThis;
        try {
            return this || new Function("return this")();
        } catch (e) {
            if ("object" == typeof window) return window;

  [HIGH    ] [JS_OBFUSCATION] includes/odnoklassniki_ru.js:1439
      keydown listener — could be a keylogger; verify it's UI-related
      CODE: document.addEventListener("keydown", o);
      Context:                                         parent: e,
                                        onShow: function() {
                                            document.addEventListener("keydown", o);
                                        },
          

  [HIGH    ] [JS_OBFUSCATION] includes/oauth_helper_net.js:101
      Function constructor with string — eval equivalent
      CODE: return this || new Function("return this")();         } catch (e) {
      Context:         if ("object" == typeof globalThis) return globalThis;
        try {
            return this || new Function("return this")();
        } catch (e) {
            if ("object" == typeof window) return window;

  [HIGH    ] [JS_OBFUSCATION] includes/tiktok_com.js:383
      Function constructor with string — eval equivalent
      CODE: return this || new Function("return this")();         } catch (t) {
      Context:         if ("object" == typeof globalThis) return globalThis;
        try {
            return this || new Function("return this")();
        } catch (t) {
            if ("object" == typeof window) return window;

  [HIGH    ] [JS_OBFUSCATION] includes/yandex_music.js:339
      Function constructor with string — eval equivalent
      CODE: return this || new Function("return this")();         } catch (e) {
      Context:         if ("object" == typeof globalThis) return globalThis;
        try {
            return this || new Function("return this")();
        } catch (e) {
            if ("object" == typeof window) return window;

  [HIGH    ] [JS_OBFUSCATION] includes/savefrom_net.js:487
      Function constructor with string — eval equivalent
      CODE: return this || new Function("return this")();         } catch (e) {
      Context:         if ("object" == typeof globalThis) return globalThis;
        try {
            return this || new Function("return this")();
        } catch (e) {
            if ("object" == typeof window) return window;

  [HIGH    ] [JS_OBFUSCATION] includes/horoscope.js:75
      Function constructor with string — eval equivalent
      CODE: return this || new Function("return this")();         } catch (A) {
      Context:         if ("object" == typeof globalThis) return globalThis;
        try {
            return this || new Function("return this")();
        } catch (A) {
            if ("object" == typeof window) return window;

  [HIGH    ] [JS_OBFUSCATION] includes/link_modifier.js:95
      atob() — decoding base64 at runtime (possible payload decode)
      CODE: i = atob(i[1]);
      Context:                                 if (o && (i = o.match(/((?:aHR0cDovL|aHR0cHM6Ly)[a-z0-9+\/=]+)/i)) && i.length > 1) {
                                    try {
                                        i = atob(i[1]);
                                  

  [HIGH    ] [JS_OBFUSCATION] includes/link_modifier.js:248
      Function constructor with string — eval equivalent
      CODE: return this || new Function("return this")();         } catch (e) {
      Context:         if ("object" == typeof globalThis) return globalThis;
        try {
            return this || new Function("return this")();
        } catch (e) {
            if ("object" == typeof window) return window;

  [HIGH    ] [JS_OBFUSCATION] includes/astrology.js:75
      Function constructor with string — eval equivalent
      CODE: return this || new Function("return this")();         } catch (A) {
      Context:         if ("object" == typeof globalThis) return globalThis;
        try {
            return this || new Function("return this")();
        } catch (A) {
            if ("object" == typeof window) return window;

  [HIGH    ] [JS_OBFUSCATION] includes/dailymotion_com.js:315
      Function constructor with string — eval equivalent
      CODE: return this || new Function("return this")();         } catch (e) {
      Context:         if ("object" == typeof globalThis) return globalThis;
        try {
            return this || new Function("return this")();
        } catch (e) {
            if ("object" == typeof window) return window;

  [HIGH    ] [JS_OBFUSCATION] includes/youtube_com.js:2965
      Function constructor with string — eval equivalent
      CODE: return this || new Function("return this")();         } catch (e) {
      Context:         if ("object" == typeof globalThis) return globalThis;
        try {
            return this || new Function("return this")();
        } catch (e) {
            if ("object" == typeof window) return window;

  [HIGH    ] [JS_OBFUSCATION] includes/rutube_ru.js:229
      Function constructor with string — eval equivalent
      CODE: return this || new Function("return this")();         } catch (e) {
      Context:         if ("object" == typeof globalThis) return globalThis;
        try {
            return this || new Function("return this")();
        } catch (e) {
            if ("object" == typeof window) return window;

  [HIGH    ] [JS_OBFUSCATION] includes/commons.js:12439
      decodeURIComponent(escape()) — encoding trick to bypass scanners
      CODE: return decodeURIComponent(escape(p.stringify(e)));                     }
      Context:                 stringify: function(e) {
                    try {
                        return decodeURIComponent(escape(p.stringify(e)));
                    } catch (e) {
                        throw new Error("Malformed UTF-8 data");

  [HIGH    ] [JS_OBFUSCATION] includes/commons.js:6219
      setTimeout/setInterval with variable argument — indirect eval when variable holds a decoded string payload
      CODE: setTimeout(e, 250);                         })).then((func
      Context:                             }
                        })), new Promise((function(e) {
                            setTimeout(e, 250);
                        })).then((function() {
                            return {

  [HIGH    ] [JS_OBFUSCATION] includes/commons.js:6388
      setTimeout/setInterval with variable argument — indirect eval when variable holds a decoded string payload
      CODE: setTimeout(e, 250);                         })).then((func
      Context:                         })), !n) throw new Error("Photo is is not found!");
                        return new Promise((function(e) {
                            setTimeout(e, 250);
                        })).then((function() {
                     

  [HIGH    ] [JS_OBFUSCATION] includes/commons.js:7107
      setTimeout/setInterval with variable argument — indirect eval when variable holds a decoded string payload
      CODE: setTimeout(e, 250);                                 }));
      Context:                                     o[t] = e, n[t] = e, r++;
                                })), t.onProgress && t.onProgress(r, s), new Promise((e => {
                                    setTimeout(e, 250);
                                }));
   

  [HIGH    ] [JS_OBFUSCATION] includes/commons.js:7222
      setTimeout/setInterval with variable argument — indirect eval when variable holds a decoded string payload
      CODE: setTimeout(e, 250);                                 }));
      Context:                             })), r.abrupt("return", i().then((function() {
                                return new Promise((function(e) {
                                    setTimeout(e, 250);
                                }));
                

  [HIGH    ] [JS_OBFUSCATION] includes/commons.js:13044
      setTimeout/setInterval with variable argument — indirect eval when variable holds a decoded string payload
      CODE: }, n = setTimeout(r, 100);             x && (t = requestAnimation
      Context:             var t, r = function() {
                clearTimeout(n), x && cancelAnimationFrame(t), setTimeout(e);
            }, n = setTimeout(r, 100);
            x && (t = requestAnimationFrame(r));
        }

  [HIGH    ] [JS_OBFUSCATION] includes/match_tv.js:282
      Function constructor with string — eval equivalent
      CODE: return this || new Function("return this")();         } catch (e) {
      Context:         if ("object" == typeof globalThis) return globalThis;
        try {
            return this || new Function("return this")();
        } catch (e) {
            if ("object" == typeof window) return window;

  [HIGH    ] [JS_OBFUSCATION] includes/instagram_com.js:960
      Function constructor with string — eval equivalent
      CODE: return this || new Function("return this")();         } catch (e) {
      Context:         if ("object" == typeof globalThis) return globalThis;
        try {
            return this || new Function("return this")();
        } catch (e) {
            if ("object" == typeof window) return window;

  [HIGH    ] [JS_OBFUSCATION] js/options.js:405
      setTimeout/setInterval with variable argument — indirect eval when variable holds a decoded string payload
      CODE: }, o = setTimeout(n, 100);                 ve && (t = requestAnim
      Context:                 var t, n = function() {
                    clearTimeout(o), ve && cancelAnimationFrame(t), setTimeout(e);
                }, o = setTimeout(n, 100);
                ve && (t = requestAnimationFrame(n));
            }

  [HIGH    ] [JS_OBFUSCATION] js/menu.js:60
      setTimeout/setInterval with variable argument — indirect eval when variable holds a decoded string payload
      CODE: }, i = setTimeout(n, 250);                     a.A.sendMessage({
      Context:                         for (var n in clearTimeout(i), e.isNotResponse = !t, t) e[n] = t[n];
                        g(e), m(e);
                    }, i = setTimeout(n, 250);
                    a.A.sendMessage({
                        action: "get

  [HIGH    ] [JS_OBFUSCATION] js/background.js:3363
      atob() — decoding base64 at runtime (possible payload decode)
      CODE: (decodeURIComponent(atob(t)));                 var t;
      Context:             return H([ "credentials" ]).then((e => {
                if (!e || !e.credentials) throw new Ne("Credentials not found", ze);
                return t = e.credentials, JSON.parse(decodeURIComponent(atob(t)));
                var t;
      

  [HIGH    ] [JS_OBFUSCATION] js/background.js:7408
      atob() — decoding base64 at runtime (possible payload decode)
      CODE: clientId: atob("aGVscGVyLnBybw"),                     c
      Context:             init() {
                this.client = new (Ge())({
                    clientId: atob("aGVscGVyLnBybw"),
                    clientSecret: atob("RTkyRkQ2RTM5RTM1RDUzQUQ5NkMwNzVDQjBFQzFCMEU4NkI0M0UwQzY3OTAzRDhBNjk5NDVCQkY1QUU0RjkxMA"),
  

  [HIGH    ] [JS_OBFUSCATION] js/background.js:7409
      atob() — decoding base64 at runtime (possible payload decode)
      CODE: clientSecret: atob("RTkyRkQ2RTM5RTM1RDUzQUQ5NkMwNzVDQjBFQzF
      Context:                 this.client = new (Ge())({
                    clientId: atob("aGVscGVyLnBybw"),
                    clientSecret: atob("RTkyRkQ2RTM5RTM1RDUzQUQ5NkMwNzVDQjBFQzFCMEU4NkI0M0UwQzY3OTAzRDhBNjk5NDVCQkY1QUU0RjkxMA"),
                    acc

  [HIGH    ] [JS_OBFUSCATION] js/background.js:2120
      Function constructor with string — eval equivalent
      CODE: return this || new Function("return this")();         } catch (e) {
      Context:         if ("object" == typeof globalThis) return globalThis;
        try {
            return this || new Function("return this")();
        } catch (e) {
            if ("object" == typeof window) return window;

  [HIGH    ] [JS_OBFUSCATION] js/background.js:8175
      setTimeout/setInterval with string argument — indirect eval
      CODE: ) : (Xn.liteStorage.setTimeout("fromIdTimeout", 21600),
      Context:             if (E.isGM && Ae()) return e;
            return e = e.then((function() {
                return Xn.liteStorage.isTimeout("fromIdTimeout") ? Jn.debug("Request fromId timeout") : (Xn.liteStorage.setTimeout("fromIdTimeout", 21600), 
       

  [HIGH    ] [JS_OBFUSCATION] js/background.js:8258
      setTimeout/setInterval with string argument — indirect eval
      CODE: || (Xn.liteStorage.setTimeout("sendInGaTimeout", 3600),
      Context:             },
            pull: function() {
                zn.length && (Xn.liteStorage.isTimeout("sendInGaTimeout") || (Xn.liteStorage.setTimeout("sendInGaTimeout", 3600), 
                Yn()));
            }

  [HIGH    ] [JS_OBFUSCATION] js/background.js:8687
      setTimeout/setInterval with string argument — indirect eval
      CODE: Xn.liteStorage.setTimeout("trackTimeout", 300);                 var
      Context:         (Xn.userTrack = function() {
            if (!Xn.liteStorage.isTimeout("trackTimeout")) {
                Xn.liteStorage.setTimeout("trackTimeout", 300);
                var e = {
                    t: "screenview",

  [HIGH    ] [JS_OBFUSCATION] js/background.js:8697
      setTimeout/setInterval with string argument — indirect eval
      CODE: Xn.liteStorage.setTimeout("trackTimeout", 43200), Xn.events.emit("s
      Context:                         id: "init",
                        onSuccess: function() {
                            Xn.liteStorage.setTimeout("trackTimeout", 43200), Xn.events.emit("sendScreenView"), 
                            Pe().then((() => {
      

  [HIGH    ] [PERMISSION] manifest.json:
      Dangerous permission: '<all_urls>' — Access to ALL website content — can read/exfiltrate any page data
      PERMISSION: permissions: ['tabs', 'downloads', 'storage', '<all_urls>', 'webRequest', 'webNavigation', 'webRequestBlocking']

  [HIGH    ] [PERMISSION] manifest.json:
      Dangerous permission: 'webRequestBlocking' — Can intercept and modify all HTTP(S) traffic
      PERMISSION: permissions: ['tabs', 'downloads', 'storage', '<all_urls>', 'webRequest', 'webNavigation', 'webRequestBlocking']

  [HIGH    ] [PNG_CHUNK] img/view.png:
      Unknown PNG chunk type 'egin' (24260 bytes) — non-standard chunks can hide data
      CODE: b'_view__\nZnVuY3Rpb24gc3RhcnRBZGRyKGEpe2lm'

  [HIGH    ] [SUSPICIOUS_URL] eula.html:1
      Known malicious domain (blocklist hit): savefrom.net
      URL: http://savefrom.net/
      Context: <html><head><meta charset="utf-8"><title>Savefrom.net Helper</title><link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css" integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm

  [HIGH    ] [SUSPICIOUS_URL] includes/vkontakte_ru.js:2253
      Known malicious domain (blocklist hit): savefrom.net
      URL: http://savefrom.net/?url=
      Context:                             marginBottom: "-4px"
                        }, o = x.A.create("a", {
                            href: "http://savefrom.net/?url=" + encodeURIComponent(t),
                            style: r,
                           

  [HIGH    ] [SUSPICIOUS_URL] includes/facebook_com.js:305
      Known malicious domain (blocklist hit): savefrom.net
      URL: http://savefrom.net/?url=
      Context:                         if (!(e = this.checkUrl(e))) return !1;
                        var i = document.createElement("a");
                        i.className = w.className, i.href = "http://savefrom.net/?url=" + encodeURIComponent(e), 
           

  [HIGH    ] [SUSPICIOUS_URL] includes/link_modifier.js:53
      Known malicious domain (blocklist hit): savefrom.net
      URL: http://savefrom.net/
      Context:                     buttonSrc: "data:image/gif;base64,R0lGODlhEAAQAOZ3APf39+Xl5fT09OPj4/Hx8evr6/3+/u7u7uDh4OPi497e3t7e3/z8/P79/X3GbuXl5ubl5eHg4WzFUfb39+Pj4lzGOV7LOPz7+/n6+vn5+ZTLj9/e387Ozt7f3/7+/vv7/ISbePn5+m/JV1nRKXmVbkCnKVrSLDqsCuDh4d/e3uDn3/z7/H6T

  [HIGH    ] [SUSPICIOUS_URL] includes/commons.js:4341
      Known malicious domain (blocklist hit): savefrom.net
      URL: https://ru.savefrom.net/#url=
      Context:             },
            openMediaOnSaveFrom(e) {
                window.open("https://ru.savefrom.net/#url=" + e, "_blank");
            }
        };

  [HIGH    ] [SUSPICIOUS_URL] js/menu.js:89
      Known malicious domain (blocklist hit): savefrom.net
      URL: http://savefrom.net/faq.php#supported_resourses
      Context:                         text: a.A.i18n.getMessage("aboutDescription")
                    }), C.A.create("a", {
                        href: "http://savefrom.net/faq.php#supported_resourses",
                        target: "_blank",
               

  [HIGH    ] [SUSPICIOUS_URL] js/menu.js:96
      Known malicious domain (blocklist hit): savefrom.net
      URL: http://savefrom.net/user.php?helper=
      Context:                         }
                    }), C.A.create("a", {
                        href: "http://savefrom.net/user.php?helper=" + c.helperName,
                        target: "_blank",
                        text: a.A.i18n.getMessage("home

  [HIGH    ] [SUSPICIOUS_URL] js/menu.js:111
      Known malicious domain (blocklist hit): savefrom.net
      URL: http://savefrom.net/user.php?helper=
      Context:                         i.textContent = a.A.i18n.getMessage(o), i.classList.contains("label") && (i.title = a.A.i18n.getMessage(o));
                    }
                }(), c.descMore.href = "http://savefrom.net/user.php?helper=" + c.helperName;
 

  [HIGH    ] [SUSPICIOUS_URL] js/menu.js:127
      Known malicious domain (blocklist hit): savefrom.net
      URL: http://savefrom.net/user.php
      Context:                 }
                !function() {
                    var e = "http://savefrom.net/user.php", t = encodeURIComponent(e), n = encodeURIComponent("http://savefrom.net/img/icon_100.png"), i = encodeURIComponent(a.A.i18n.getMessage("extName

  [HIGH    ] [SUSPICIOUS_URL] js/menu.js:127
      Known malicious domain (blocklist hit): savefrom.net
      URL: http://savefrom.net/img/icon_100.png
      Context:                 }
                !function() {
                    var e = "http://savefrom.net/user.php", t = encodeURIComponent(e), n = encodeURIComponent("http://savefrom.net/img/icon_100.png"), i = encodeURIComponent(a.A.i18n.getMessage("extName

  [HIGH    ] [SUSPICIOUS_URL] js/menu.js:305
      Known malicious domain (blocklist hit): savefrom.net
      URL: http://savefrom.net/user.php?helper=
      Context:                 })), n && n !== t && i.appendChild(C.A.create("a", {
                    text: a.A.i18n.getMessage("updateTo").replace("%d", n),
                    href: "http://savefrom.net/user.php?helper=" + c.helperName + "&update=" + t,
       

  [HIGH    ] [SUSPICIOUS_URL] js/background.js:2565
      Known malicious domain (blocklist hit): amplitude.com
      URL: https://api.amplitude.com/httpapi
      Context:             var t = arguments.length > 1 && void 0 !== arguments[1] ? arguments[1] : "bc3c8ed7b305f692ec048b0425b002df";
            return C.debug("send", e), R({
                url: "https://api.amplitude.com/httpapi",
                method: "POS

  [HIGH    ] [SUSPICIOUS_URL] js/background.js:8177
      Known malicious domain (blocklist hit): savefrom.net
      URL: http://savefrom.net/tools/get_vid.php
      Context:                 return Xn.liteStorage.isTimeout("fromIdTimeout") ? Jn.debug("Request fromId timeout") : (Xn.liteStorage.setTimeout("fromIdTimeout", 21600), 
                R({
                    url: "http://savefrom.net/tools/get_vid.php"
        

  [HIGH    ] [SUSPICIOUS_URL] js/background.js:8297
      Known malicious domain (blocklist hit): savefrom.net
      URL: http://savefrom.net/?
      Context:                         utm_campaign: "bookmarklet"
                    });
                    E.openTab("http://savefrom.net/?" + r, !0);
                }));
            },

  [HIGH    ] [SUSPICIOUS_URL] js/background.js:8808
      Known malicious domain (blocklist hit): savefrom.net
      URL: http://savefrom.net/user.php?helper=
      Context:         }, Xn.loader.when("firstrun", (function() {
            if (Xn.checkAndOpenProLanding(!0), !E.isGM) {
                var e = "http://savefrom.net/user.php?helper=" + Xn.preferences.sfHelperName + ";firstrun";
                E.isFirefox && (

  [HIGH    ] [TIME_BOMB] includes/commons.js:549
      localStorage install-date check — extension may suppress malicious behaviour until days after installation to evade review sandboxes
      CODE: localStorage.getItem("televzr_installed")

  [HIGH    ] [TIME_BOMB] js/background.js:8697
      setTimeout/setInterval with 1996-minute delay (119,781,451 ms) — potential time-gated payload activation
      CODE: setTimeout(setTimeout("trackTimeout", 43200), Xn.events.emit("sendScreenView"),                              Pe().then((…

  ── MEDIUM ────────────────────────────────────────────────────────────
  [MEDIUM  ] [API_ABUSE] includes/commons.js:1581
      btoa() encoding co-located with network send — data is being base64-encoded before exfiltration
      CODE: btoa(

  [MEDIUM  ] [API_ABUSE] includes/commons.js:10169
      btoa() encoding co-located with network send — data is being base64-encoded before exfiltration
      CODE: btoa(

  [MEDIUM  ] [API_ABUSE] includes/commons.js:12302
      btoa() encoding co-located with network send — data is being base64-encoded before exfiltration
      CODE: btoa(

  [MEDIUM  ] [API_ABUSE] includes/commons.js:14087
      btoa() encoding co-located with network send — data is being base64-encoded before exfiltration
      CODE: btoa(

  [MEDIUM  ] [API_ABUSE] js/background.js:3356
      btoa() encoding co-located with network send — data is being base64-encoded before exfiltration
      CODE: btoa(

  [MEDIUM  ] [JS_OBFUSCATION] includes/astrologyvalley.js:11
      Long innerHTML assignment — possible HTML injection
      CODE: e.innerHTML = '\n      <div class="second-modal__window">\n        <button class="close"><img src="data:image/svg+xml;ba…
      Context:                     var e = document.createElement("div");
                    e.id = "secondModal", e.classList.add("second-modal");
                    e.innerHTML = '\n      <div class="second-modal__window">\n        <button class="close"><img sr

  [MEDIUM  ] [JS_OBFUSCATION] includes/vkontakte_ru.js:2682
      window.open(_blank) — opened page can access window.opener; potential reverse tabnapping if noopener is not specified
      CODE: window.open(o, "_blank"

  [MEDIUM  ] [JS_OBFUSCATION] includes/facebook_com.js:410
      fetch() call — verify destination is legitimate
      CODE: on(url,data){return fetch(url,{method:"POST",headers:{"content-typ
      Context:                                 fb_dtsg: t
                            });
                            return (0, b.A)([ r, o ], 'function(url,data){return fetch(url,{method:"POST",headers:{"content-type":"application/x-www-form-urlencoded"},body:dat

  [MEDIUM  ] [JS_OBFUSCATION] includes/mail_ru.js:290
      fetch() call — verify destination is legitimate
      CODE: })), void fetch(o.href, {
      Context:                                     height: 16,
                                    width: 16
                                })), void fetch(o.href, {
                                    method: "GET",
                                    credentials

  [MEDIUM  ] [JS_OBFUSCATION] includes/odnoklassniki_ru.js:530
      String.fromCharCode — character-code obfuscation
      CODE: extContent = String.fromCharCode(215), u.title = s.A.i18n.getMessage("cl
      Context:                         r.style.opacity = "1";
                        var u = document.createElement("span");
                        return u.textContent = String.fromCharCode(215), u.title = s.A.i18n.getMessage("close"), 
                        a

  [MEDIUM  ] [JS_OBFUSCATION] includes/odnoklassniki_ru.js:817
      XMLHttpRequest — check destination URL
      CODE: var n = new XMLHttpRequest;                             n.open("PO
      Context:                         }));
                        var o = e => new Promise((t => {
                            var n = new XMLHttpRequest;
                            n.open("POST", location.protocol + "//" + e + "/usr_login", !1), n.withCredentia

  [MEDIUM  ] [JS_OBFUSCATION] includes/tiktok_com.js:19
      fetch() call — verify destination is legitimate
      CODE: return t.next = 2, fetch(e);                                case
      Context:                             for (;;) switch (t.prev = t.next) {
                              case 0:
                                return t.next = 2, fetch(e);

                              case 2:

  [MEDIUM  ] [JS_OBFUSCATION] includes/savefrom_net.js:69
      Form event listener — could capture user input/credentials
      CODE: e.addEventListener("submit", (function(t) {
      Context:                     },
                    bindForm(e) {
                        e.addEventListener("submit", (function(t) {
                            var s = e.sf_url.value;
                            if (s && "1" != e.getAttribute(d.dataAttr)) {

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:828
      String.fromCharCode — character-code obfuscation
      CODE: re") + " " + String.fromCharCode(171) : o.A.i18n.getMessage("more") + "
      Context:                 className: we()(r.dropdownItem, r.moreBtn),
                onClick: u
            }, a ? o.A.i18n.getMessage("more") + " " + String.fromCharCode(171) : o.A.i18n.getMessage("more") + " " + String.fromCharCode(187));
        })), Ge = 

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:828
      String.fromCharCode — character-code obfuscation
      CODE: re") + " " + String.fromCharCode(187));         })), Ge = R.Ay.memo((()
      Context:                 className: we()(r.dropdownItem, r.moreBtn),
                onClick: u
            }, a ? o.A.i18n.getMessage("more") + " " + String.fromCharCode(171) : o.A.i18n.getMessage("more") + " " + String.fromCharCode(187));
        })), Ge = 

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:1511
      String.fromCharCode — character-code obfuscation
      CODE: N(t)) return String.fromCharCode(t);                 }));             },
      Context:             decodeUnicodeEscapeSequence: function(e) {
                return e.replace(/\\u([0-9a-f]{4})/g, (function(e, t) {
                    if (t = parseInt(t, 16), !isNaN(t)) return String.fromCharCode(t);
                }));
            },

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:1546
      String.fromCharCode — character-code obfuscation
      CODE: < 128 ? t += String.fromCharCode(n) : n > 127 && n < 2048 ? (t += String
      Context:                 for (var t = "", r = 0; r < e.length; r++) {
                    var n = e.charCodeAt(r);
                    n < 128 ? t += String.fromCharCode(n) : n > 127 && n < 2048 ? (t += String.fromCharCode(n >> 6 | 192), 
                    

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:1546
      String.fromCharCode — character-code obfuscation
      CODE: 2048 ? (t += String.fromCharCode(n >> 6 | 192),                      t +
      Context:                 for (var t = "", r = 0; r < e.length; r++) {
                    var n = e.charCodeAt(r);
                    n < 128 ? t += String.fromCharCode(n) : n > 127 && n < 2048 ? (t += String.fromCharCode(n >> 6 | 192), 
                    

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:1547
      String.fromCharCode — character-code obfuscation
      CODE: t += String.fromCharCode(63 & n | 128)) : (t += String.fromCharC
      Context:                     var n = e.charCodeAt(r);
                    n < 128 ? t += String.fromCharCode(n) : n > 127 && n < 2048 ? (t += String.fromCharCode(n >> 6 | 192), 
                    t += String.fromCharCode(63 & n | 128)) : (t += String.fromCh

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:1547
      String.fromCharCode — character-code obfuscation
      CODE: 28)) : (t += String.fromCharCode(n >> 12 | 224),                      t
      Context:                     var n = e.charCodeAt(r);
                    n < 128 ? t += String.fromCharCode(n) : n > 127 && n < 2048 ? (t += String.fromCharCode(n >> 6 | 192), 
                    t += String.fromCharCode(63 & n | 128)) : (t += String.fromCh

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:1548
      String.fromCharCode — character-code obfuscation
      CODE: t += String.fromCharCode(n >> 6 & 63 | 128), t += String.fromCha
      Context:                     n < 128 ? t += String.fromCharCode(n) : n > 127 && n < 2048 ? (t += String.fromCharCode(n >> 6 | 192), 
                    t += String.fromCharCode(63 & n | 128)) : (t += String.fromCharCode(n >> 12 | 224), 
                    t

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:1548
      String.fromCharCode — character-code obfuscation
      CODE: | 128), t += String.fromCharCode(63 & n | 128));                 }
      Context:                     n < 128 ? t += String.fromCharCode(n) : n > 127 && n < 2048 ? (t += String.fromCharCode(n >> 6 | 192), 
                    t += String.fromCharCode(63 & n | 128)) : (t += String.fromCharCode(n >> 12 | 224), 
                    t

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:1607
      String.fromCharCode — character-code obfuscation
      CODE: extContent = String.fromCharCode(215), this.setStyle(a, {
      Context:                 }), r && this.setStyle(i, r);
                var a = document.createElement("span");
                a.textContent = String.fromCharCode(215), this.setStyle(a, {
                    color: t,
                    width: "14px",

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:2241
      String.fromCharCode — character-code obfuscation
      CODE: re") + " " + String.fromCharCode(187),
      Context:                             if (l) {
                                var d = document.createElement("span");
                                if (d.textContent = o.A.i18n.getMessage("more") + " " + String.fromCharCode(187), 
                          

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:2259
      String.fromCharCode — character-code obfuscation
      CODE: "none", s = String.fromCharCode(187);
      Context:                                     e.preventDefault(), e.stopPropagation();
                                    for (var r = t.querySelectorAll("*[" + wt.video.dataAttr + "]"), n = 0; n < r.length; n++) {
                                        var 

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:2260
      String.fromCharCode — character-code obfuscation
      CODE: a = "", s = String.fromCharCode(171)) : i = "0", r[n].style.display = a
      Context:                                     for (var r = t.querySelectorAll("*[" + wt.video.dataAttr + "]"), n = 0; n < r.length; n++) {
                                        var i = r[n].getAttribute(wt.video.dataAttr), a = "none", s = String.fromCharCode

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:3998
      String.fromCharCode — character-code obfuscation
      CODE: re") + " " + String.fromCharCode(187),                         style: {
      Context:                     var r = wt.popupMenu, n = r.createPopupItem("-text-", t).el;
                    A.A.create(n, {
                        text: o.A.i18n.getMessage("more") + " " + String.fromCharCode(187),
                        style: {
        

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:4228
      String.fromCharCode — character-code obfuscation
      CODE: re") + " " + String.fromCharCode(171),                          t = "blo
      Context:                     }, c = function(e) {
                        var t = "none", r = e.parentNode.querySelectorAll(".isOptional");
                        "open" !== e.dataset.state ? (e.dataset.state = "open", e.textContent = o.A.i18n.getMessage("mo

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:4229
      String.fromCharCode — character-code obfuscation
      CODE: re") + " " + String.fromCharCode(187));                         for (var
      Context:                         var t = "none", r = e.parentNode.querySelectorAll(".isOptional");
                        "open" !== e.dataset.state ? (e.dataset.state = "open", e.textContent = o.A.i18n.getMessage("more") + " " + String.fromCharCode(171), 
 

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:4272
      String.fromCharCode — character-code obfuscation
      CODE: re") + " " + String.fromCharCode(187)), {
      Context:                                     e.stopPropagation();
                                } ]
                            }), t = A.A.create(r.createItem(o.A.i18n.getMessage("more") + " " + String.fromCharCode(187)), {
                                

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:10121
      String.fromCharCode — character-code obfuscation
      CODE: aN(n) ? "" : String.fromCharCode(n);                     var o = t.speci
      Context:                 return e.replace(this.specialCharsRe, (function(e, r) {
                    var n = null;
                    if ("#" === r[0]) return n = parseInt(r.substr(1)), isNaN(n) ? "" : String.fromCharCode(n);
                    var o = t.sp

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:10123
      String.fromCharCode — character-code obfuscation
      CODE: sList[1][o], String.fromCharCode(n)) : -1 !== (o = t.specialChars.indexO
      Context:                     if ("#" === r[0]) return n = parseInt(r.substr(1)), isNaN(n) ? "" : String.fromCharCode(n);
                    var o = t.specialCharsList[0].indexOf(r);
                    return -1 !== o ? (n = t.specialCharsList[1][o], String.

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:10124
      String.fromCharCode — character-code obfuscation
      CODE: String.fromCharCode(n)) : "";                 }));
      Context:                     var o = t.specialCharsList[0].indexOf(r);
                    return -1 !== o ? (n = t.specialCharsList[1][o], String.fromCharCode(n)) : -1 !== (o = t.specialChars.indexOf(r)) ? (n = o + 160, 
                    String.fromCharCo

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:10131
      String.fromCharCode — character-code obfuscation
      CODE: r = String.fromCharCode(parseInt("0x" + r.substr(2), 16));
      Context:                     var r = t;
                    try {
                        r = String.fromCharCode(parseInt("0x" + r.substr(2), 16));
                    } catch (e) {}
                    return r;

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:10443
      String.fromCharCode — character-code obfuscation
      CODE: (i ? i.split(String.fromCharCode(9)) : [])[0].split(String.fromCharCode(
      Context:         "use strict";
        function n(e, t) {
            var r = t.split("?extra=")[1].split("#"), n = r[0], o = r[1], i = o ? s(o) : "", u = s(n), l = (i ? i.split(String.fromCharCode(9)) : [])[0].split(String.fromCharCode(11)), c = l.splice(0, 

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:10443
      String.fromCharCode — character-code obfuscation
      CODE: [])[0].split(String.fromCharCode(11)), c = l.splice(0, 1, u)[0];
      Context:         "use strict";
        function n(e, t) {
            var r = t.split("?extra=")[1].split("#"), n = r[0], o = r[1], i = o ? s(o) : "", u = s(n), l = (i ? i.split(String.fromCharCode(9)) : [])[0].split(String.fromCharCode(11)), c = l.splice(0, 

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:10483
      String.fromCharCode — character-code obfuscation
      CODE: 4) && (i += String.fromCharCode(255 & t >> (-2 * n & 6)));
      Context:             if (!e || e.length % 4 == 1) return !1;
            for (var t, r, n = 0, o = 0, i = ""; r = e.charAt(o++); ) ~(r = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMN0PQRSTUVWXYZO123456789+/=".indexOf(r)) && (t = n % 4 ? 64 * t + r : r, 
         

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:12330
      String.fromCharCode — character-code obfuscation
      CODE: < 128 ? t += String.fromCharCode(n) : n > 127 && n < 2048 ? (t += String
      Context:             for (var t = "", r = 0; r < e.length; r++) {
                var n = e.charCodeAt(r);
                n < 128 ? t += String.fromCharCode(n) : n > 127 && n < 2048 ? (t += String.fromCharCode(n >> 6 | 192), 
                t += String.from

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:12330
      String.fromCharCode — character-code obfuscation
      CODE: 2048 ? (t += String.fromCharCode(n >> 6 | 192),                  t += St
      Context:             for (var t = "", r = 0; r < e.length; r++) {
                var n = e.charCodeAt(r);
                n < 128 ? t += String.fromCharCode(n) : n > 127 && n < 2048 ? (t += String.fromCharCode(n >> 6 | 192), 
                t += String.from

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:12331
      String.fromCharCode — character-code obfuscation
      CODE: t += String.fromCharCode(63 & n | 128)) : (t += String.fromCharC
      Context:                 var n = e.charCodeAt(r);
                n < 128 ? t += String.fromCharCode(n) : n > 127 && n < 2048 ? (t += String.fromCharCode(n >> 6 | 192), 
                t += String.fromCharCode(63 & n | 128)) : (t += String.fromCharCode(n >> 

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:12331
      String.fromCharCode — character-code obfuscation
      CODE: 28)) : (t += String.fromCharCode(n >> 12 | 224),                  t += S
      Context:                 var n = e.charCodeAt(r);
                n < 128 ? t += String.fromCharCode(n) : n > 127 && n < 2048 ? (t += String.fromCharCode(n >> 6 | 192), 
                t += String.fromCharCode(63 & n | 128)) : (t += String.fromCharCode(n >> 

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:12332
      String.fromCharCode — character-code obfuscation
      CODE: t += String.fromCharCode(n >> 6 & 63 | 128), t += String.fromCha
      Context:                 n < 128 ? t += String.fromCharCode(n) : n > 127 && n < 2048 ? (t += String.fromCharCode(n >> 6 | 192), 
                t += String.fromCharCode(63 & n | 128)) : (t += String.fromCharCode(n >> 12 | 224), 
                t += String.f

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:12332
      String.fromCharCode — character-code obfuscation
      CODE: | 128), t += String.fromCharCode(63 & n | 128));             }
      Context:                 n < 128 ? t += String.fromCharCode(n) : n > 127 && n < 2048 ? (t += String.fromCharCode(n >> 6 | 192), 
                t += String.fromCharCode(63 & n | 128)) : (t += String.fromCharCode(n >> 12 | 224), 
                t += String.f

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:12428
      String.fromCharCode — character-code obfuscation
      CODE: n.push(String.fromCharCode(i));                     }
      Context:                     for (var t = e.words, r = e.sigBytes, n = [], o = 0; o < r; o++) {
                        var i = t[o >>> 2] >>> 24 - o % 4 * 8 & 255;
                        n.push(String.fromCharCode(i));
                    }
                

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:10149
      unescape() — URL-encoding obfuscation
      CODE: e = unescape(e);                 }                 if
      Context:                     e = decodeURIComponent(e);
                } catch (t) {
                    e = unescape(e);
                }
                if (e = (e = this.decodeSpecialChars(e)).replace(this.rnRe, " "), (e = (e = this.trim(e)).replace(this

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:11708
      unescape() — URL-encoding obfuscation
      CODE: l = unescape(l);                     }
      Context:                         l = decodeURIComponent(l);
                    } catch (e) {
                        l = unescape(l);
                    }
                    try {

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:11713
      unescape() — URL-encoding obfuscation
      CODE: i[l] = unescape(c);                     }
      Context:                         i[l] = decodeURIComponent(c);
                    } catch (e) {
                        i[l] = unescape(c);
                    }
                }

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:12445
      unescape() — URL-encoding obfuscation
      CODE: return p.parse(unescape(encodeURIComponent(e)));
      Context:                 },
                parse: function(e) {
                    return p.parse(unescape(encodeURIComponent(e)));
                }
            }, h = s.BufferedBlockAlgorithm = u.extend({

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:14087
      unescape() — URL-encoding obfuscation
      CODE: ase64,".concat(btoa(unescape(encodeURIComponent(JSON.stringify(i)))),
      Context:         function A(e, t, r) {
            var n = r.css, o = r.media, i = r.sourceMap;
            if (o ? e.setAttribute("media", o) : e.removeAttribute("media"), i && "undefined" != typeof btoa && (n += "\n/*# sourceMappingURL=data:application/json

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:13712
      Long innerHTML assignment — possible HTML injection
      CODE: ]; else if (p && (e.innerHTML = ""), S(e, v(A) ? A : [ A ], t, r, o, i && "foreignObject" !== y, a, s, a ? a[0] : r.__k …
      Context:                 for (c in E) f = E[c], "children" == c ? A = f : "dangerouslySetInnerHTML" == c ? d = f : "value" == c ? g = f : "checked" == c ? I = f : "key" === c || u && "function" != typeof f || m[c] === f || Q(e, c, f, m[c], i);
               

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:11935
      XMLHttpRequest — check destination URL
      CODE: }, d = (e.localXHR, new XMLHttpRequest);             d.open(l.method, l.url, !
      Context:                 0: 200,
                1223: 204
            }, d = (e.localXHR, new XMLHttpRequest);
            d.open(l.method, l.url, !0), l.mimeType && d.overrideMimeType(l.mimeType), l.withCredentials && (d.withCredentials = !0);
            v

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:1720
      fetch() call — verify destination is legitimate
      CODE: === location.host ? fetch(e.href, {                         method
      Context:                         }
                    };
                    return "ok.ru" === location.host ? fetch(e.href, {
                        method: "HEAD"
                    }).then((e => ({

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:5030
      fetch() call — verify destination is legitimate
      CODE: return fetch(r, {
      Context:                                     fb_dtsg: t
                                });
                                return fetch(r, {
                                    method: "POST",
                                    headers: {

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:7550
      fetch() call — verify destination is legitimate
      CODE: okies().then((() => fetch(`https://www.youtube.com/youtubei/v1/pla
      Context:                                 };
                                return o.INNERTUBE_CONTEXT.client.userAgent && (s["user-agent"] = o.INNERTUBE_CONTEXT.client.userAgent), 
                                t.syncYoutubeCookies().then((() => fetch(`htt

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:7582
      fetch() call — verify destination is legitimate
      CODE: return fetch(e).then((e => e.text().then((e => /"VISI
      Context:             }
            getVisitorData(e) {
                return fetch(e).then((e => e.text().then((e => /"VISITOR_DATA":\s*"([^"]+)"/.exec(e)[1]))));
            }
        }

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:8150
      fetch() call — verify destination is legitimate
      CODE: return t.next = 4, fetch("https://graphql.api.dailymotion.com/oau
      Context: 
                          case 2:
                            return t.next = 4, fetch("https://graphql.api.dailymotion.com/oauth/token", {
                                method: "POST",
                                headers: {

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:8197
      fetch() call — verify destination is legitimate
      CODE: return r.next = 7, fetch("https://graphql.api.dailymotion.com/",
      Context: 
                          case 5:
                            return r.next = 7, fetch("https://graphql.api.dailymotion.com/", {
                                method: "POST",
                                headers: {

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:8923
      fetch() call — verify destination is legitimate
      CODE: unction(url){return fetch(url).then(function(response){return resp
      Context:                             return n = `https://wmf.ok.ru/play;jsessionid=${t.cache.jsessionId}?` + re.stringify({
                                tid: e
                            }), r.abrupt("return", t.cache.trackIdPromise[e] = (0, x.A)([ n ], "

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:10577
      fetch() call — verify destination is legitimate
      CODE: I + i, e.next = 7, fetch(l);
      Context:                                             break;
                                        }
                                        return l = "https://" + I + i, e.next = 7, fetch(l);

                                      case 7:

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:10588
      fetch() call — verify destination is legitimate
      CODE: m + i, e.next = 16, fetch(d);
      Context: 
                                      case 13:
                                        return d = "https://" + m + i, e.next = 16, fetch(d);

                                      case 16:

  [MEDIUM  ] [JS_OBFUSCATION] includes/commons.js:4341
      window.open(_blank) — opened page can access window.opener; potential reverse tabnapping if noopener is not specified
      CODE: window.open("https://ru.savefrom.net/#url=" + e, "_blank"

  [MEDIUM  ] [JS_OBFUSCATION] js/options.js:1257
      String.fromCharCode — character-code obfuscation
      CODE: }), String.fromCharCode(160), h.A.create("span", {
      Context:                                 id: "ffmpegEnabled",
                                checked: !1
                            }), String.fromCharCode(160), h.A.create("span", {
                                text: v.A.i18n.getMessage("optionsFfmpegEn

  [MEDIUM  ] [JS_OBFUSCATION] js/options.js:1273
      String.fromCharCode — character-code obfuscation
      CODE: }), String.fromCharCode(160), h.A.create("span", {
      Context:                                         id: "saveAsDialog",
                                        checked: !1
                                    }), String.fromCharCode(160), h.A.create("span", {
                                        text: v.A.i

  [MEDIUM  ] [JS_OBFUSCATION] js/options.js:226
      Long innerHTML assignment — possible HTML injection
      CODE: ]; else if (f && (e.innerHTML = ""), j(e, k(p) ? p : [ p ], t, n, r, i && "foreignObject" !== g, l, a, l ? l[0] : n.__k …
      Context:                     for (_ in y) d = y[_], "children" == _ ? p = d : "dangerouslySetInnerHTML" == _ ? c = d : "value" == _ ? m = d : "checked" == _ ? v = d : "key" === _ || s && "function" != typeof d || h[_] === d || R(e, _, d, h[_], i);
           

  [MEDIUM  ] [JS_OBFUSCATION] js/options.js:1281
      Form event listener — could capture user input/credentials
      CODE: r.addEventListener("change", o, !1));                     if (v.A.
      Context:                         }
                    }(), i = 0, l = (a = e.querySelectorAll('form input[type="checkbox"]')).length; i < l; i++) (r = a[i]).id && void 0 !== t[r.id] && (r.checked = !!t[r.id], 
                    r.addEventListener("change",

  [MEDIUM  ] [JS_OBFUSCATION] js/background.js:1035
      String.fromCharCode — character-code obfuscation
      CODE: return String.fromCharCode(parseInt(t, 10));                 }));
      Context:             }, s = function(e) {
                return e.replace(/&#(\d+);/g, (function(e, t) {
                    return String.fromCharCode(parseInt(t, 10));
                }));
            }, u = function(e, t) {

  [MEDIUM  ] [JS_OBFUSCATION] js/background.js:1503
      String.fromCharCode — character-code obfuscation
      CODE: h.floor, k = String.fromCharCode;                 function O(e) {
      Context:                     "not-basic": "Illegal input >= 0x80 (not a basic code point)",
                    "invalid-input": "Invalid input"
                }, w = u - c, x = Math.floor, k = String.fromCharCode;
                function O(e) {
           

  [MEDIUM  ] [JS_OBFUSCATION] js/background.js:4165
      String.fromCharCode — character-code obfuscation
      CODE: aN(n) ? "" : String.fromCharCode(n);                     var o = t.speci
      Context:                 return e.replace(this.specialCharsRe, (function(e, r) {
                    var n = null;
                    if ("#" === r[0]) return n = parseInt(r.substr(1)), isNaN(n) ? "" : String.fromCharCode(n);
                    var o = t.sp

  [MEDIUM  ] [JS_OBFUSCATION] js/background.js:4167
      String.fromCharCode — character-code obfuscation
      CODE: sList[1][o], String.fromCharCode(n)) : -1 !== (o = t.specialChars.indexO
      Context:                     if ("#" === r[0]) return n = parseInt(r.substr(1)), isNaN(n) ? "" : String.fromCharCode(n);
                    var o = t.specialCharsList[0].indexOf(r);
                    return -1 !== o ? (n = t.specialCharsList[1][o], String.

  [MEDIUM  ] [JS_OBFUSCATION] js/background.js:4168
      String.fromCharCode — character-code obfuscation
      CODE: String.fromCharCode(n)) : "";                 }));
      Context:                     var o = t.specialCharsList[0].indexOf(r);
                    return -1 !== o ? (n = t.specialCharsList[1][o], String.fromCharCode(n)) : -1 !== (o = t.specialChars.indexOf(r)) ? (n = o + 160, 
                    String.fromCharCo

  [MEDIUM  ] [JS_OBFUSCATION] js/background.js:4175
      String.fromCharCode — character-code obfuscation
      CODE: r = String.fromCharCode(parseInt("0x" + r.substr(2), 16));
      Context:                     var r = t;
                    try {
                        r = String.fromCharCode(parseInt("0x" + r.substr(2), 16));
                    } catch (e) {}
                    return r;

  [MEDIUM  ] [JS_OBFUSCATION] js/background.js:4483
      String.fromCharCode — character-code obfuscation
      CODE: += n) o.push(String.fromCharCode.apply(null, new Uint8Array(e, t, Math.m
      Context:         function zt(e) {
            return function(e) {
                for (var t = arguments.length > 1 && void 0 !== arguments[1] ? arguments[1] : 0, r = arguments.length > 2 && void 0 !== arguments[2] ? arguments[2] : 1e99, n = 8192, o = [], i 

  [MEDIUM  ] [JS_OBFUSCATION] js/background.js:4125
      unescape() — URL-encoding obfuscation
      CODE: c = unescape(c);                     }
      Context:                         c = decodeURIComponent(c);
                    } catch (e) {
                        c = unescape(c);
                    }
                    try {

  [MEDIUM  ] [JS_OBFUSCATION] js/background.js:4130
      unescape() — URL-encoding obfuscation
      CODE: i[c] = unescape(l);                     }
      Context:                         i[c] = decodeURIComponent(l);
                    } catch (e) {
                        i[c] = unescape(l);
                    }
                }

  [MEDIUM  ] [JS_OBFUSCATION] js/background.js:4193
      unescape() — URL-encoding obfuscation
      CODE: e = unescape(e);                 }                 if
      Context:                     e = decodeURIComponent(e);
                } catch (t) {
                    e = unescape(e);
                }
                if (e = (e = this.decodeSpecialChars(e)).replace(this.rnRe, " "), (e = (e = this.trim(e)).replace(this

  [MEDIUM  ] [JS_OBFUSCATION] js/background.js:2507
      XMLHttpRequest — check destination URL
      CODE: }, f = (e.localXHR, new XMLHttpRequest);             f.open(c.method, c.url, !
      Context:                 0: 200,
                1223: 204
            }, f = (e.localXHR, new XMLHttpRequest);
            f.open(c.method, c.url, !0), c.mimeType && f.overrideMimeType(c.mimeType), c.withCredentials && (f.withCredentials = !0);
            v

  [MEDIUM  ] [JS_OBFUSCATION] js/background.js:4455
      XMLHttpRequest — check destination URL
      CODE: xhr: new XMLHttpRequest             }), t;         }         fu
      Context:             return Bt.set(t, {
                id: t,
                xhr: new XMLHttpRequest
            }), t;
        }

  [MEDIUM  ] [JS_OBFUSCATION] js/background.js:3948
      fetch() call — verify destination is legitimate
      CODE: lename, r.next = 3, fetch(n, {                                 hea
      Context:                         for (;;) switch (r.prev = r.next) {
                          case 0:
                            return n = e.downloadFileUrl, o = e.filename, r.next = 3, fetch(n, {
                                headers: {
                

  [MEDIUM  ] [JS_OBFUSCATION] js/background.js:4641
      fetch() call — verify destination is legitimate
      CODE: return fetch(e).then((e => {                     if (
      Context:             }
            _downloadTask(e) {
                return fetch(e).then((e => {
                    if (e.ok) return e.blob();
                    throw new Error("bad response");

  [MEDIUM  ] [JS_OBFUSCATION] js/background.js:4656
      fetch() call — verify destination is legitimate
      CODE: return fetch(this.urls[0], {                     meth
      Context:             }
            fetchMimeType() {
                return fetch(this.urls[0], {
                    method: "head"
                }).then((e => e.headers.get("Content-Type")));

  [MEDIUM  ] [JS_OBFUSCATION] js/background.js:4680
      fetch() call — verify destination is legitimate
      CODE: lename, r.next = 3, fetch(n, {                                 hea
      Context:                         for (;;) switch (r.prev = r.next) {
                          case 0:
                            return n = e.downloadFileUrl, o = e.filename, r.next = 3, fetch(n, {
                                headers: {
                

  [MEDIUM  ] [JS_OBFUSCATION] js/background.js:5264
      fetch() call — verify destination is legitimate
      CODE: lename, r.next = 3, fetch(n, {                                 hea
      Context:                         for (;;) switch (r.prev = r.next) {
                          case 0:
                            return n = e.downloadFileUrl, o = e.filename, r.next = 3, fetch(n, {
                                headers: {
                

  [MEDIUM  ] [JS_OBFUSCATION] js/background.js:6026
      fetch() call — verify destination is legitimate
      CODE: okies().then((() => fetch(`https://www.youtube.com/youtubei/v1/pla
      Context:                                 };
                                return o.INNERTUBE_CONTEXT.client.userAgent && (s["user-agent"] = o.INNERTUBE_CONTEXT.client.userAgent), 
                                t.syncYoutubeCookies().then((() => fetch(`htt

  [MEDIUM  ] [JS_OBFUSCATION] js/background.js:6058
      fetch() call — verify destination is legitimate
      CODE: return fetch(e).then((e => e.text().then((e => /"VISI
      Context:             }
            getVisitorData(e) {
                return fetch(e).then((e => e.text().then((e => /"VISITOR_DATA":\s*"([^"]+)"/.exec(e)[1]))));
            }
        }

  [MEDIUM  ] [JS_OBFUSCATION] js/background.js:8742
      fetch() call — verify destination is legitimate
      CODE: n);                 fetch(`https://monitoring-exporter.sf-helper.c
      Context:             if (!!Xn.preferences.dataCollectionEnabled) {
                var r = t.params, n = r.type, o = e(r, Qn);
                fetch(`https://monitoring-exporter.sf-helper.com/api/v3/${n}`, {
                    method: "POST",
               

  [MEDIUM  ] [JS_OBFUSCATION] js/pageCommons.js:405
      unescape() — URL-encoding obfuscation
      CODE: ase64,".concat(btoa(unescape(encodeURIComponent(JSON.stringify(o)))),
      Context:         function h(e, t, r) {
            var s = r.css, n = r.media, o = r.sourceMap;
            if (n ? e.setAttribute("media", n) : e.removeAttribute("media"), o && "undefined" != typeof btoa && (s += "\n/*# sourceMappingURL=data:application/json

  [MEDIUM  ] [LOCALE_ABUSE] _locales/pt/messages.json:
      Locale message 'filelistInstruction' contains an embedded URL — locale files should not contain URLs
      CODE: http://en.wikipedia.org/wiki/Download_manager

  [MEDIUM  ] [LOCALE_ABUSE] _locales/pt/messages.json:
      Locale message 'filelistInstruction' contains an embedded URL — locale files should not contain URLs
      CODE: http://www.westbyte.com/dm/

  [MEDIUM  ] [LOCALE_ABUSE] _locales/pt/messages.json:
      Locale message 'vkListOfLinksInstruction' contains an embedded URL — locale files should not contain URLs
      CODE: http://en.wikipedia.org/wiki/Download_manager

  [MEDIUM  ] [LOCALE_ABUSE] _locales/pt/messages.json:
      Locale message 'vkListOfLinksInstruction' contains an embedded URL — locale files should not contain URLs
      CODE: http://www.westbyte.com/dm/

  [MEDIUM  ] [LOCALE_ABUSE] _locales/zh/messages.json:
      Locale message 'filelistInstruction' contains an embedded URL — locale files should not contain URLs
      CODE: http://ru.wikipedia.org/wiki/Менеджер_загрузок

  [MEDIUM  ] [LOCALE_ABUSE] _locales/zh/messages.json:
      Locale message 'filelistInstruction' contains an embedded URL — locale files should not contain URLs
      CODE: http://www.westbyte.com/dm/

  [MEDIUM  ] [LOCALE_ABUSE] _locales/zh/messages.json:
      Locale message 'vkListOfLinksInstruction' contains an embedded URL — locale files should not contain URLs
      CODE: http://ru.wikipedia.org/wiki/Менеджер_загрузок

  [MEDIUM  ] [LOCALE_ABUSE] _locales/zh/messages.json:
      Locale message 'vkListOfLinksInstruction' contains an embedded URL — locale files should not contain URLs
      CODE: http://www.westbyte.com/dm/

  [MEDIUM  ] [LOCALE_ABUSE] _locales/es/messages.json:
      Locale message 'filelistInstruction' contains an embedded URL — locale files should not contain URLs
      CODE: http://en.wikipedia.org/wiki/Download_manager

  [MEDIUM  ] [LOCALE_ABUSE] _locales/es/messages.json:
      Locale message 'filelistInstruction' contains an embedded URL — locale files should not contain URLs
      CODE: http://www.freedownloadmanager.org/

  [MEDIUM  ] [LOCALE_ABUSE] _locales/es/messages.json:
      Locale message 'vkListOfLinksInstruction' contains an embedded URL — locale files should not contain URLs
      CODE: http://en.wikipedia.org/wiki/Download_manager

  [MEDIUM  ] [LOCALE_ABUSE] _locales/es/messages.json:
      Locale message 'vkListOfLinksInstruction' contains an embedded URL — locale files should not contain URLs
      CODE: http://www.freedownloadmanager.org/

  [MEDIUM  ] [LOCALE_ABUSE] _locales/en/messages.json:
      Locale message 'filelistInstruction' contains an embedded URL — locale files should not contain URLs
      CODE: http://en.wikipedia.org/wiki/Download_manager

  [MEDIUM  ] [LOCALE_ABUSE] _locales/en/messages.json:
      Locale message 'filelistInstruction' contains an embedded URL — locale files should not contain URLs
      CODE: http://www.freedownloadmanager.org/

  [MEDIUM  ] [LOCALE_ABUSE] _locales/en/messages.json:
      Locale message 'vkListOfLinksInstruction' contains an embedded URL — locale files should not contain URLs
      CODE: http://en.wikipedia.org/wiki/Download_manager

  [MEDIUM  ] [LOCALE_ABUSE] _locales/en/messages.json:
      Locale message 'vkListOfLinksInstruction' contains an embedded URL — locale files should not contain URLs
      CODE: http://www.freedownloadmanager.org/

  [MEDIUM  ] [PERMISSION] manifest.json:
      Dangerous permission: 'downloads' — Can initiate and read downloads
      PERMISSION: permissions: ['tabs', 'downloads', 'storage', '<all_urls>', 'webRequest', 'webNavigation', 'webRequestBlocking']

  [MEDIUM  ] [PERMISSION] manifest.json:
      Dangerous permission: 'webRequest' — Can observe all HTTP(S) requests
      PERMISSION: permissions: ['tabs', 'downloads', 'storage', '<all_urls>', 'webRequest', 'webNavigation', 'webRequestBlocking']

  [MEDIUM  ] [TIME_BOMB] includes/odnoklassniki_ru.js:838
      Date arithmetic gate — code behaviour may depend on elapsed time since a stored timestamp
      CODE: Date.now() +

  [MEDIUM  ] [TIME_BOMB] includes/odnoklassniki_ru.js:1449
      Date arithmetic gate — code behaviour may depend on elapsed time since a stored timestamp
      CODE: Date.now() /

  [MEDIUM  ] [TIME_BOMB] includes/odnoklassniki_ru.js:1475
      Date arithmetic gate — code behaviour may depend on elapsed time since a stored timestamp
      CODE: Date.now() /

  [MEDIUM  ] [TIME_BOMB] includes/commons.js:5156
      Date arithmetic gate — code behaviour may depend on elapsed time since a stored timestamp
      CODE: Date.now() +

  [MEDIUM  ] [TIME_BOMB] includes/commons.js:5971
      Date arithmetic gate — code behaviour may depend on elapsed time since a stored timestamp
      CODE: Date.now() +

  [MEDIUM  ] [TIME_BOMB] includes/commons.js:8474
      Date arithmetic gate — code behaviour may depend on elapsed time since a stored timestamp
      CODE: Date.now() +

  [MEDIUM  ] [TIME_BOMB] includes/commons.js:10273
      Date arithmetic gate — code behaviour may depend on elapsed time since a stored timestamp
      CODE: Date.now() /

  [MEDIUM  ] [TIME_BOMB] includes/commons.js:10429
      Date arithmetic gate — code behaviour may depend on elapsed time since a stored timestamp
      CODE: Date.now() +

  [MEDIUM  ] [TIME_BOMB] includes/instagram_com.js:81
      Date arithmetic gate — code behaviour may depend on elapsed time since a stored timestamp
      CODE: Date.now() -

  [MEDIUM  ] [TIME_BOMB] includes/instagram_com.js:96
      Date arithmetic gate — code behaviour may depend on elapsed time since a stored timestamp
      CODE: Date.now() -

  [MEDIUM  ] [TIME_BOMB] js/background.js:2910
      Date arithmetic gate — code behaviour may depend on elapsed time since a stored timestamp
      CODE: Date.now() /

  [MEDIUM  ] [TIME_BOMB] js/background.js:4751
      Date arithmetic gate — code behaviour may depend on elapsed time since a stored timestamp
      CODE: Date.now() /

  [MEDIUM  ] [WEB_ACCESSIBLE] manifest.json:
      Wildcard web_accessible_resources — extension internals exposed to any website
      CODE: ['img/*']

  ── LOW ───────────────────────────────────────────────────────────────
  [LOW     ] [SUSPICIOUS_URL] popup.html:1
      External domain — not on known-good allowlist: sf-helper.net
      URL: https://sf-helper.net/helper-pro-manual.php
      Context: <!DOCTYPE html><html><head lang="en"><meta charset="UTF-8"><title>SaveFrom.net Helper</title><script defer="defer" src="js/pageCommons.js"></script><script defer="defer" src="js/menu.js"></script></head><body class="sf-menu-container loading"><div cl

  [LOW     ] [SUSPICIOUS_URL] includes/astrologyvalley.js:28
      External domain — not on known-good allowlist: forms.gle
      URL: https://forms.gle/EQwCGiyRpkaQx3qGA
      Context:                         document.body.append(e), g("toolbar_survey", "show", "toolbar_survey_show");
                    }), 1e4), e.querySelector(".second-modal__btn").addEventListener("click", (() => {
                        window.open("https://f

  [LOW     ] [SUSPICIOUS_URL] includes/twitch_tv.js:34
      External domain — not on known-good allowlist: ttvnw.net
      URL: https://usher.ttvnw.net/vod/${e}.m3u8?sig=${r}&supported_codecs=avc1&token=${n}&cdm=wv&player_version=0.9.80
      Context:                     }));
                }(e).then((t => {
                    var r = t.signature, n = t.value, a = `https://usher.ttvnw.net/vod/${e}.m3u8?sig=${r}&supported_codecs=avc1&token=${n}&cdm=wv&player_version=0.9.80`;
                    r

  [LOW     ] [SUSPICIOUS_URL] includes/mail_ru.js:335
      External domain — not on known-good allowlist: mail.ru
      URL: https://music.my.mail.ru/file/
      Context:                             a = a.href;
                            var o = (0, s.A)(a);
                            return o.file && o.uid ? i("https://music.my.mail.ru/file/" + o.file + ".mp3?u=" + encodeURIComponent(o.uid)) : C.getUrlViaBridge(e, 

  [LOW     ] [SUSPICIOUS_URL] includes/mail_ru.js:344
      External domain — not on known-good allowlist: mail.ru
      URL: https://music.my.mail.ru/file/
      Context:                                 i(e);
                            }), (function() {
                                i("https://music.my.mail.ru/file/" + r + ".mp3");
                            }));
                        }

  [LOW     ] [SUSPICIOUS_URL] includes/mail_ru.js:684
      External domain — not on known-good allowlist: mail.ru
      URL: http://api.video.mail.ru/videos/
      Context:                         var n = this.matchUrl(location.pathname);
                        return n ? {
                            metadataUrl: "http://api.video.mail.ru/videos/" + n[1] + "/" + n[2] + "/" + n[3] + ".json"
                        } : 

  [LOW     ] [SUSPICIOUS_URL] includes/odnoklassniki_ru.js:957
      External domain — not on known-good allowlist: cdn-ok.com
      URL: http://cdn-ok.com/video/get/?
      Context:                         var n = (0, u.A)(e);
                        if (!n.id || !n.sig) return t();
                        var o = "http://cdn-ok.com/video/get/?" + N.stringify({
                            id: n.id,
                            fo

  [LOW     ] [SUSPICIOUS_URL] includes/savefrom_net.js:254
      External domain — not on known-good allowlist: ytimg.com
      URL: http://i.ytimg.com/vi/
      Context:                                 duration: r.secondsToDuration(l)
                            },
                            thumb: e ? "http://i.ytimg.com/vi/" + e + "/hqdefault.jpg" : ""
                        }, m = !1;
                        r.v

  [LOW     ] [SUSPICIOUS_URL] includes/savefrom_net.js:383
      External domain — not on known-good allowlist: dai.ly
      URL: http://dai.ly/
      Context:                                 meta: {
                                    title: i ? u.A.modify(i) : "download",
                                    source: "http://dai.ly/" + e,
                                    duration: r.secondsToDuration(a)


  [LOW     ] [SUSPICIOUS_URL] includes/savefrom_net.js:425
      External domain — not on known-good allowlist: mail.ru
      URL: http://my.mail.ru/
      Context:                                 meta: {
                                    title: i ? u.A.modify(i) : "download",
                                    source: "http://my.mail.ru/" + e,
                                    duration: r.secondsToDuration

  [LOW     ] [SUSPICIOUS_URL] includes/horoscope.js:28
      External domain — not on known-good allowlist: forms.gle
      URL: https://forms.gle/EQwCGiyRpkaQx3qGA
      Context:                         document.body.append(n), a("toolbar_survey", "show", "toolbar_survey_show");
                    }), 1e4), n.querySelector(".third-modal__btn").addEventListener("click", (() => {
                        window.open("https://fo

  [LOW     ] [SUSPICIOUS_URL] includes/astrology.js:28
      External domain — not on known-good allowlist: forms.gle
      URL: https://forms.gle/EQwCGiyRpkaQx3qGA
      Context:                         document.body.append(t), f("toolbar_survey", "show", "toolbar_survey_show");
                    }), 1e4), t.querySelector(".first-modal__btn").addEventListener("click", (() => {
                        window.open("https://fo

  [LOW     ] [SUSPICIOUS_URL] includes/commons.js:479
      External domain — not on known-good allowlist: televzr.com
      URL: https://desktop.televzr.com/download-in-hd.html?vid=693&video_id=yt-${L}&utm_source=helper&utm_medium=hd-mp3-button&utm_…
      Context:             x.A)(s, 2), l = u[0], c = u[1], d = R.Ay.useState(!1), p = (0, x.A)(d, 2), h = p[0], f = p[1], g = R.Ay.useState(!1), v = (0, 
            x.A)(g, 2), I = v[0], C = v[1], m = R.Ay.useState(), E = (0, x.A)(m, 2), b = E[0], O = E[1], F = R.

  [LOW     ] [SUSPICIOUS_URL] includes/commons.js:786
      External domain — not on known-good allowlist: sf-helper.net
      URL: https://sf-helper.net/helper-pro
      Context:                 className: n.loginBtn,
                onClick: F,
                href: "https://sf-helper.net/helper-pro",
                target: "_blank"
            }, o.A.i18n.getMessage("activatePro")), g === De && R.Ay.createElement("a", {

  [LOW     ] [SUSPICIOUS_URL] includes/commons.js:931
      External domain — not on known-good allowlist: sf-helper.net
      URL: https://sf-helper.net/helper-pro
      Context:                 }));
            }), []), R.Ay.createElement("div", null, u && R.Ay.createElement("a", {
                href: "https://sf-helper.net/helper-pro",
                className: r.button,
                onClick: i,

  [LOW     ] [SUSPICIOUS_URL] includes/commons.js:937
      External domain — not on known-good allowlist: sf-helper.net
      URL: https://sf-helper.net/helper-pro
      Context:             }, o.A.i18n.getMessage("try_pro_button")));
        }));
        var ot = r(3928), it = r.n(ot), at = (0, v.A)("TzDownload"), st = "STATE_AUTH_CHECK", ut = "STATE_TELEVZR_SEARCH", lt = "STATE_DOWNLOAD_PREPARING", ct = "STATE_DOWNLOAD_STAR

  [LOW     ] [SUSPICIOUS_URL] includes/commons.js:1042
      External domain — not on known-good allowlist: sf-helper.net
      URL: https://sf-helper.net/helper-pro-manual.php
      Context:             }, o.A.i18n.getMessage("televzrNotFoundSubMessage")), R.Ay.createElement("a", {
                onClick: F,
                href: "https://sf-helper.net/helper-pro-manual.php",
                target: "_blank",
                className: 

  [LOW     ] [SUSPICIOUS_URL] includes/commons.js:1581
      External domain — not on known-good allowlist: purl.org
      URL: http://purl.org/dc/elements/1.1/
      Context:                 cache: {},
                getSrc: function(e, t) {
                    return this.icon[e] ? (this.cache[e] || (this.cache[e] = {}), this.cache[e][t] || (this.cache[e][t] = btoa('<?xml version="1.0" encoding="UTF-8"?><svg xmlns:dc="h

  [LOW     ] [SUSPICIOUS_URL] includes/commons.js:2863
      External domain — not on known-good allowlist: robokassa.ru
      URL: https://auth.robokassa.ru/Merchant/Index.aspx?MerchantLogin=helperpro&OutSum=399&InvId=198813&Receipt=%257B%2522items%25…
      Context:                             text: "Оформить подписку",
                            target: "_blank",
                            href: "https://auth.robokassa.ru/Merchant/Index.aspx?MerchantLogin=helperpro&OutSum=399&InvId=198813&Receipt=%257B%2522it

  [LOW     ] [SUSPICIOUS_URL] includes/commons.js:2885
      External domain — not on known-good allowlist: sf-helper.net
      URL: https://sf-helper.net/pro2?utm_source=helper&utm_medium=subscription_popup&utm_campaign=pro
      Context:                             text: "Подробней",
                            target: "_blank",
                            // href: "https://sf-helper.net/pro2?utm_source=helper&utm_medium=subscription_popup&utm_campaign=pro",
                         

  [LOW     ] [SUSPICIOUS_URL] includes/commons.js:4568
      External domain — not on known-good allowlist: sf-helper.net
      URL: https://sf-helper.net/pro2
      Context:                         }), A.A.create("a", {
                            class: "sf-button",
                            // href: "https://sf-helper.net/pro2",
                            target: "_blank",
                            style: {

  [LOW     ] [SUSPICIOUS_URL] includes/commons.js:6032
      External domain — not on known-good allowlist: tiktok.com
      URL: https://www.tiktok.com/@${u}/video/${l}
      Context:                             }
                            if (i = n.closest('div[data-e2e="recommend-list-item-container"]'), s = null, i ? (u = t.getUsername(i), 
                            l = t.getVideoId(i), s = `https://www.tiktok.com/@${u}/vid

  [LOW     ] [SUSPICIOUS_URL] includes/commons.js:8921
      External domain — not on known-good allowlist: ok.ru
      URL: https://wmf.ok.ru/play;jsessionid=${t.cache.jsessionId}?
      Context: 
                          case 6:
                            return n = `https://wmf.ok.ru/play;jsessionid=${t.cache.jsessionId}?` + re.stringify({
                                tid: e
                            }), r.abrupt("return", t.cache.tr

  [LOW     ] [SUSPICIOUS_URL] includes/commons.js:10343
      External domain — not on known-good allowlist: sf-helper.com
      URL: https://sf-helper.com/static/helper-config/selector_config.json
      Context:                       case 0:
                        return e.abrupt("return", (0, d.A)({
                            url: "https://sf-helper.com/static/helper-config/selector_config.json"
                        }).then((e => {
                    

  [LOW     ] [SUSPICIOUS_URL] includes/commons.js:11560
      External domain — not on known-good allowlist: sf-helper.com
      URL: https://sf-helper.com/static/joiner2/frame2.html
      Context:                     this.destroyFrame(), window.addEventListener("message", this.frameListener);
                    var r = this.frame = document.createElement("iframe");
                    r.src = "https://sf-helper.com/static/joiner2/frame2.html"

  [LOW     ] [SUSPICIOUS_URL] js/menu.js:136
      External domain — not on known-good allowlist: odnoklassniki.ru
      URL: http://www.odnoklassniki.ru/dk?st.cmd=addShare&st.s=1&st._surl=
      Context:                             network: "odnoklassniki",
                            title: a.A.i18n.getMessage("shareIn").replace("%w", "OK.ru"),
                            href: "http://www.odnoklassniki.ru/dk?st.cmd=addShare&st.s=1&st._surl=" + t + 

  [LOW     ] [SUSPICIOUS_URL] js/menu.js:141
      External domain — not on known-good allowlist: mail.ru
      URL: http://connect.mail.ru/share?url=
      Context:                             network: "mail.ru",
                            title: a.A.i18n.getMessage("shareIn").replace("%w", "Mail.ru"),
                            href: "http://connect.mail.ru/share?url=" + t + "&title=" + i + "&description=" + 

  [LOW     ] [SUSPICIOUS_URL] js/menu.js:161
      External domain — not on known-good allowlist: livejournal.com
      URL: http://www.livejournal.com/update.bml?subject=
      Context:                             network: "livejournal",
                            title: a.A.i18n.getMessage("shareIn").replace("%w", "Livejournal"),
                            href: "http://www.livejournal.com/update.bml?subject=" + i + "&event=" + o

  [LOW     ] [SUSPICIOUS_URL] js/background.js:2860
      External domain — not on known-good allowlist: sf-helper.com
      URL: https://sf-helper.com/static/helper-config/experiments.config.json?ts=${Date.now()}
      Context:             }
            requestRemoteConfig() {
                var e = `https://sf-helper.com/static/helper-config/experiments.config.json?ts=${Date.now()}`;
                return R({
                    url: e,

  [LOW     ] [SUSPICIOUS_URL] js/background.js:2980
      External domain — not on known-good allowlist: sf-helper.com
      URL: https://sf-helper.com/static/helper-config/general_config.json
      Context:                       case 0:
                        return e.abrupt("return", R({
                            url: "https://sf-helper.com/static/helper-config/general_config.json"
                        }).then((e => {
                            

  [LOW     ] [SUSPICIOUS_URL] js/background.js:3055
      External domain — not on known-good allowlist: sf-helper.com
      URL: https://sf-helper.com/static/helper-config/selector_config.json
      Context:                       case 0:
                        return e.abrupt("return", R({
                            url: "https://sf-helper.com/static/helper-config/selector_config.json"
                        }).then((e => {
                           

  [LOW     ] [SUSPICIOUS_URL] js/background.js:3417
      External domain — not on known-good allowlist: televzr.com
      URL: https://oauth2.televzr.com
      Context:             return e;
        }
        var ct = r(894), lt = c("AuthService"), ft = "https://oauth2.televzr.com";
        Error;
        var pt = [ "responseStatus", "responseOk", "responseType", "requestPrefix" ];

  [LOW     ] [SUSPICIOUS_URL] js/background.js:3468
      External domain — not on known-good allowlist: sf-helper.com
      URL: https://sf-helper.com/static/helper-config/clickunder_config.json
      Context:         const gt = class {
            constructor(e) {
                this.track = e, this.fetchData = dt, this.CONFIG_URL = "https://sf-helper.com/static/helper-config/clickunder_config.json", 
                this.evalString = null, this.options 

  [LOW     ] [SUSPICIOUS_URL] js/background.js:4020
      External domain — not on known-good allowlist: mail.ru
      URL: http://api.video.mail.ru/videos/
      Context:             _getMailruLinks(e, t) {
                var r, n = e, o = e.match(/\/([^\/]+)\/([^\/]+)\/video\/(.+).html/);
                if (o || (o = e.match(/embed\/([^\/]+)\/([^\/]+)\/(.+).html/)), o && (r = "http://api.video.mail.ru/videos/" + o[

  [LOW     ] [SUSPICIOUS_URL] js/background.js:4023
      External domain — not on known-good allowlist: mail.ru
      URL: http://my.mail.ru/
      Context:                 n = o[1] + "/" + o[2] + "/video/" + o[3] + ".html"), r) return this.onGetMailruMetadataUrl(r, n, t);
                A({
                    url: "http://my.mail.ru/" + e
                }, ((e, o, i) => {
                    if (e ||

  [LOW     ] [SUSPICIOUS_URL] js/background.js:4034
      External domain — not on known-good allowlist: mail.ru
      URL: http://videoapi.my.mail.ru/videos/
      Context:                     if (!(i = i.match(/<meta\s+content="[^"]+(videoapi\.my\.mail[^&]+)&[^"]+"[^>]+\/>/))) return t();
                    var u = (i = decodeURIComponent(i[1])).substr(i.lastIndexOf("/") + 1);
                    r = "http://videoapi.

  [LOW     ] [SUSPICIOUS_URL] js/background.js:4265
      External domain — not on known-good allowlist: mail.ru
      URL: http://in.video.mail.ru/cgi-bin/video/oklite?eid=
      Context:             _getOdnoklassnikiLinks(e, t) {
                e ? A({
                    url: "http://in.video.mail.ru/cgi-bin/video/oklite?eid=" + e
                }, (function(r, n, o) {
                    if (r || !o) return t(null);

  [LOW     ] [SUSPICIOUS_URL] js/background.js:4268
      External domain — not on known-good allowlist: mail.ru
      URL: http://www.okcontent.video.mail.ru/media/
      Context:                 }, (function(r, n, o) {
                    if (r || !o) return t(null);
                    var i = "http://www.okcontent.video.mail.ru/media/", a = o.match(/\$vcontentHost=([^\s"'<>]+)/i);
                    a && a.length > 1 && (i

  [LOW     ] [SUSPICIOUS_URL] js/background.js:4288
      External domain — not on known-good allowlist: ok.ru
      URL: http://wmf1.ok.ru/play;jsessionid=
      Context:                 if (!t || !r) return n(null);
                A({
                    url: "http://wmf1.ok.ru/play;jsessionid=" + r + "?tid=" + t,
                    json: !0
                }, (function(e, t, r) {

  [LOW     ] [SUSPICIOUS_URL] js/background.js:4307
      External domain — not on known-good allowlist: clipyou.ru
      URL: http://media.clipyou.ru/api/player/secure_link?record_id=
      Context:             getClipyouLinks(e, t, r, n, o) {
                A({
                    url: "http://media.clipyou.ru/api/player/secure_link?record_id=" + e + "&type=mp4&resource_hash=" + t,
                    json: !0
                }, (function(e, t

  [LOW     ] [SUSPICIOUS_URL] js/background.js:4323
      External domain — not on known-good allowlist: clipyou.ru
      URL: http://media.clipyou.ru/api/player_data.json?id=
      Context:             getClipyouHash(e, t) {
                A({
                    url: "http://media.clipyou.ru/api/player_data.json?id=" + e
                }, (function(e, r, n) {
                    if (e || !n) return t();

  [LOW     ] [SUSPICIOUS_URL] js/background.js:4341
      External domain — not on known-good allowlist: pladform.ru
      URL: http://out.pladform.ru/getVideo?pl=
      Context:                 }, o = e.extVideoId.playerId, i = e.extVideoId.videoId;
                return A({
                    url: "http://out.pladform.ru/getVideo?pl=" + o + "&videoid=" + i,
                    xml: !0
                }, ((e, t, o) => {

  [LOW     ] [SUSPICIOUS_URL] js/background.js:4396
      External domain — not on known-good allowlist: ok.ru
      URL: http://m.ok.ru/dk?
      Context:                     "st.cmd": "movieLayer",
                    "st.mvId": e.mvId
                }, o = "http://m.ok.ru/dk?" + Ft.stringify(n), i = {
                    action: e.action,
                    links: null,

  [LOW     ] [SUSPICIOUS_URL] js/background.js:4438
      External domain — not on known-good allowlist: ok.ru
      URL: https://ok.ru/video/${t}
      Context:                 var t = e.videoId;
                return R({
                    url: `https://ok.ru/video/${t}`,
                    headers: {
                        "user-agent": Dt()

  [LOW     ] [SUSPICIOUS_URL] js/background.js:7412
      External domain — not on known-good allowlist: sf-helper.net
      URL: https://sf-helper.net/callback.php
      Context:                     accessTokenUri: ft + "/token",
                    authorizationUri: ft + "/auth",
                    redirectUri: "https://sf-helper.net/callback.php",
                    scopes: [ "profile" ]
                }, ((e, t, r, n) =

  [LOW     ] [SUSPICIOUS_URL] js/background.js:7492
      External domain — not on known-good allowlist: televzr.com
      URL: https://oauth2.televzr.com/v1/quickCode?
      Context:             getQuickCodeRequest() {
                return lt.log("quickCodeRequest call"), it((() => this.credentionalsToken && this.credentionalsToken.data ? this.credentionalsToken : this.loadTokenFromStorage())).then((e => R({
                   

  [LOW     ] [SUSPICIOUS_URL] js/background.js:7525
      External domain — not on known-good allowlist: televzr.com
      URL: https://oauth2.televzr.com/logout
      Context:             logout() {
                return ot([ "credentials", "userInfo" ]).then((() => this.revokeToken())).then(...at((() => R({
                    url: "https://oauth2.televzr.com/logout",
                    method: "POST"
                })

  [LOW     ] [SUSPICIOUS_URL] js/background.js:7734
      External domain — not on known-good allowlist: matchtv.ru
      URL: https://matchtv.ru/vdl/playlist/${encodeURIComponent(o)}/1.json
      Context: 
                          case 6:
                            return a = `https://matchtv.ru/vdl/playlist/${encodeURIComponent(o)}/1.json`, t.next = 9, 
                            R({
                                url: a,

  [LOW     ] [SUSPICIOUS_URL] js/background.js:8123
      External domain — not on known-good allowlist: sf-helper.com
      URL: https://sf-helper.com/geoip/country.php
      Context:                     return R({
                        type: "POST",
                        url: "https://sf-helper.com/geoip/country.php",
                        data: {
                            sig: e.length

  [LOW     ] [SUSPICIOUS_URL] js/background.js:8730
      External domain — not on known-good allowlist: sf-helper.com
      URL: https://monitoring-exporter.sf-helper.com/event
      Context:                 var t = `category=${e.obj.category}&subcategory=${e.obj.subcategory}&event=${e.obj.event}&duration=3.14`;
                return A({
                    url: "https://monitoring-exporter.sf-helper.com/event",
                    type:

  [LOW     ] [SUSPICIOUS_URL] js/background.js:8742
      External domain — not on known-good allowlist: sf-helper.com
      URL: https://monitoring-exporter.sf-helper.com/api/v3/${n}
      Context:             if (!!Xn.preferences.dataCollectionEnabled) {
                var r = t.params, n = r.type, o = e(r, Qn);
                fetch(`https://monitoring-exporter.sf-helper.com/api/v3/${n}`, {
                    method: "POST",
               

  [LOW     ] [SUSPICIOUS_URL] _locales/pt/messages.json:104
      External domain — not on known-good allowlist: westbyte.com
      URL: http://www.westbyte.com/dm/
      Context:   "qualityNote": {"message": "Se o v\u00eddeo na qualidade desejada n\u00e3o estiver dispon\u00edvel, o melhor dispon\u00edvel ser\u00e1 baixado."},
  "filelistTitle": {"message": "Lista de arquivos encontrados"},
  "filelistInstruction": {"message":

  [LOW     ] [SUSPICIOUS_URL] _locales/pt/messages.json:131
      External domain — not on known-good allowlist: westbyte.com
      URL: http://www.westbyte.com/dm/
      Context:   "vkShowAs": {"message": "Mostrar como"},
  "vkListOfLinks": {"message": "Lista de links"},
  "vkListOfLinksInstruction": {"message": "['Para baixar todas as fotos, copie a lista de links e cole-a em um ',{a:{href:'http://en.wikipedia.org/wiki/Downl

  [LOW     ] [SUSPICIOUS_URL] _locales/zh/messages.json:104
      External domain — not on known-good allowlist: westbyte.com
      URL: http://www.westbyte.com/dm/
      Context:   "qualityNote": {"message": "\u5982\u679c\u6ca1\u6709\u6240\u9700\u8d28\u91cf\u7684\u89c6\u9891\uff0c\u5c06\u4e0b\u8f7d\u6700\u4f73\u8d28\u91cf\u7684\u89c6\u9891\u3002"},
  "filelistTitle": {"message": "\u5df2\u627e\u5230\u6587\u4ef6\u5217\u8868"},


  [LOW     ] [SUSPICIOUS_URL] _locales/zh/messages.json:131
      External domain — not on known-good allowlist: westbyte.com
      URL: http://www.westbyte.com/dm/
      Context:   "vkShowAs": {"message": "\u663e\u793a\u4e3a"},
  "vkListOfLinks": {"message": "\u94fe\u63a5\u5217\u8868"},
  "vkListOfLinksInstruction": {"message": "['\u8981\u4e0b\u8f7d\u6240\u6709\u7167\u7247\uff0c\u8bf7\u590d\u5236\u94fe\u63a5\u5217\u8868\u5e76

  [LOW     ] [SUSPICIOUS_URL] _locales/es/messages.json:104
      External domain — not on known-good allowlist: freedownloadmanager.org
      URL: http://www.freedownloadmanager.org/
      Context:   "qualityNote": {"message": "Si no se elige ninguna calidad, se descargar\u00e1 el mejor v\u00eddeo disponible."},
  "filelistTitle": {"message": "La lista de los archivos encontrados"},
  "filelistInstruction": {"message": "['Para descargar todos l

  [LOW     ] [SUSPICIOUS_URL] _locales/es/messages.json:131
      External domain — not on known-good allowlist: freedownloadmanager.org
      URL: http://www.freedownloadmanager.org/
      Context:   "vkShowAs": {"message": "Mostrar como"},
  "vkListOfLinks": {"message": "Lista de enlaces"},
  "vkListOfLinksInstruction": {"message": "['Para descargar todas las im\u00e1genes, copie la lista de enlaces y p\u00e9guela en el ',{a:{href:'http://en.w

  [LOW     ] [SUSPICIOUS_URL] _locales/en/messages.json:76
      External domain — not on known-good allowlist: freedownloadmanager.org
      URL: http://www.freedownloadmanager.org/
      Context:   "qualityNote": {"message": "The best available video will be downloaded If there is no chosen quality."},
  "filelistTitle": {"message": "The list of the found files"},
  "filelistInstruction": {"message": "['To download all files copy the list of 

  [LOW     ] [SUSPICIOUS_URL] _locales/en/messages.json:92
      External domain — not on known-good allowlist: freedownloadmanager.org
      URL: http://www.freedownloadmanager.org/
      Context:   "vkFoundOf": {"message": "of"},
  "vkListOfLinks": {"message": "List of links"},
  "vkListOfLinksInstruction": {"message": "['To download all photos copy the list of links and paste it into the ',{a:{href:'http://en.wikipedia.org/wiki/Download_mana

  ── INFO ──────────────────────────────────────────────────────────────
  [INFO    ] [METADATA] Youtube Video Downloader.xpi:
      SHA-256: dccb98f494e00345447c93f5bb5e79dc29a4c96fce276780fe585ff521b3a848  |  size: 3,696,875 bytes


  Extension Name: YouTube Video Download
  Extension UUID: {8ba275e2-6750-41c3-a944-307e38c2a5e2}
  Overall verdict: CRITICAL RISK

════════════════════════════════════════════════════════════════════════