Skip to content

Security: Privileged API invoked via page-global window.GM_openInTab#589

Open
tuanaiseo wants to merge 1 commit intoXIU2:masterfrom
tuanaiseo:contribai/fix/security/privileged-api-invoked-via-page-global-w
Open

Security: Privileged API invoked via page-global window.GM_openInTab#589
tuanaiseo wants to merge 1 commit intoXIU2:masterfrom
tuanaiseo:contribai/fix/security/privileged-api-invoked-via-page-global-w

Conversation

@tuanaiseo
Copy link
Copy Markdown

@tuanaiseo tuanaiseo commented Apr 7, 2026

Problem

Multiple scripts call window.GM_openInTab(...) instead of the granted GM_openInTab(...). If the page defines or overrides window.GM_openInTab, the userscript may execute attacker-controlled code or lose integrity of privileged actions.

Severity: medium
File: GoogleTranslate-Beautification.user.js

Solution

Call the granted API directly (GM_openInTab) and never via window. Apply this change consistently across scripts using window.GM_openInTab.

Changes

  • GoogleTranslate-Beautification.user.js (modified)

Testing

  • Existing tests pass
  • Manual review completed
  • No new warnings/errors introduced

@tuanaiseo
fix(security): privileged api invoked via page-global `window.gm_
9308bc0 
Multiple scripts call `window.GM_openInTab(...)` instead of the granted `GM_openInTab(...)`. If the page defines or overrides `window.GM_openInTab`, the userscript may execute attacker-controlled code or lose integrity of privileged actions.

Affected files: GoogleTranslate-Beautification.user.js

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tuanaiseo