Security Warning: High Security Risk
Anime Forest HD Wallpaper
ID: mnohmoplhiadpdpfjjmhmfheigfaelbp
Supported Languages
Extension Info & Metadata
Publisher Contextual Analysis
- Author
- https://gameograf.com/View Profile
- Privacy
- Privacy Policy
- Country
- US
- MX records exist
- Yes
- Domain exists
- Yes
- Is disposable
- No
- Is role-based
- Yes
- Mailbox exists
- Yes
- Address
- 477 N Miami St Miami, FL 33179 US
- Website
- Visit
Transform every new tab into a tranquil escape with the Anime Forest Chrome Extension.
Download now to enjoy serene forest visuals inspired by anime artistry! Features: 🌲 Rotating Anime Forest Wallpapers: Refresh your mood with beautiful and immersive anime-style forest scenes. 🔗 Quick Access Shortcuts: Customize links to your favorite websites for instant navigation. 🔍 Integrated Search Bar: Perform searches directly from your new tab page. 🕒 Clock and Date Display: Stylishly stay on top of your schedule. Why Choose Anime Forest? Bring the magic of anime nature scenes to your browser with this seamless Chrome Extension. It's perfect for creating a calming, creative browsing space. Explore more exciting extensions like "Naruto Clan Akatsuki," "Cyberpunk Girl," and "Sword Art Online" on our website. Download now and elevate your browsing experience! About Us Gameograf.com designs high-quality Chrome new tab themes and extensions. Browse popular categories like sports stars, anime, cars, music icons, K-pop, and more. Website: https://gameograf.com Contact: https://gameograf.com/contact-us/ Privacy Policy: https://gameograf.com/privacy-policy/ Feedback: https://gameograf.com/feedback/ Email: [email protected] Google Chrome Affiliate Program Disclosure This extension may open gameograf.com on new tabs to introduce its features and related content. All links are user-focused and require user approval per Chrome's affiliate guidelines.
The extension fetches a JSON payload from api.gameograf.com whose `html` field is inserted verbatim into the new tab page via `innerHTML` on every load (guarded only by a timestamp). This gives the publisher a persistent, update-free channel to push arbitrary HTML — phishing forms, deceptive UI, tracking beacons, or malicious anchor tags — to all 162 users' new tab pages at any time. MV3 CSP prevents inline `<script>` execution but does not block injected forms, iframes loading third-party origins, or anchor elements with attacker-controlled hrefs, so the practical risk of UI-level abuse is real.
document.addEventListener("DOMContentLoaded", () => { const popupContainer = document.getElementById("remote-popup"); // Last notification time is kept in LocalStorage const lastShownKey = "popupLastShown"; fetch("https://api.gameograf.com/popup/message.json") .then((res) => { if (!res.ok) throw new Error("Failed to retrieve notification data"); return res.json(); // JSON: { html: "...", timestamp: 1715376642000 } }) .then((data) => { const { html, timestamp } = data; const lastShown = parseInt(localStorage.getItem(lastShownKey) || "0"); if (timestamp > lastShown) { popupContainer.innerHTML = html; const closeBtn = document.createElement("button"); closeBtn.classList.add("close-btn"); closeBtn.innerHTML = "×"; closeBtn.onclick = () => popupContainer.style.display = "none"; popupContainer.appendChild(closeBtn); popupContainer.style.display = "block"; // Update timestamp as new shown localStorage.setItem(lastShownKey, timestamp.toString()); } }) .catch((err) => { console.error("Notification check failed:", err); });});Video blobs are fetched from https://mlionltd.github.io/space/ — a GitHub Pages domain whose owner ("mlionltd") has no apparent relationship to Gameograf — and stored in IndexedDB for local playback. This domain is absent from the declared host_permissions (only api.gameograf.com is listed), so the fetch should fail at runtime in MV3, indicating either dead code or an oversight. Regardless, the pattern shows an undeclared third-party content dependency; if host_permissions were broadened in a future update, the extension would silently pull binary content from a completely unrelated party-controlled domain.
async function fetchAndStoreVideos(db) { const alertLoader = $("#alertLoader"); const bg_mode_toggle = $("#bgModeToggle"); const vid_mode = $("#vidMode"); const baseURL = "https://mlionltd.github.io/space/"; async function fetchAndStore(i) { const url = `${baseURL}${i}.mp4`; try { const response = await fetch(url); if (response.ok) { const blob = await response.blob(); const transaction = db.transaction(["videos"], "readwrite"); const objectStore = transaction.objectStore("videos"); const videoData = { blob }; objectStore.add(videoData); console.log(`Video ${i} is available and stored in IndexedDB.`); } } catch (error) { console.error(`Error fetching or storing video ${i}: ${error}`); } }By severity
Versions scanned
Showing 1 of 2 scanned versions with more than one unique finding. Counts are unique findings that include each version.
| Extension Version | Code Review Findings |
|---|---|
| 1.1.0 | 2 |
Files with findings
2 distinct paths — top paths by unique finding count:
- js/popup.js1
- js/script.js1
URLs
View the external URLs this extension communicates with to understand its network activity and data interactions.
Gain full insight into all external connections.
Upgrade for full visibility.
Gain full insight into all external connections.
Upgrade for full visibility.
Code Diff
Compare extension code between any two versions.
No comparable text files found between these versions.
Browse and explore files within this extension package
Gain full insight into all external connections.
Upgrade for full visibility.