,"static/chunks/8688-c83a1556c2563fd6.js","8486","static/chunks/8486-b34bccf6d9e92683.js","9755","static/chunks/app/(pages)/extensions/%5Bslug%5D/page-de67a41b595cb1f1.js"],"GatedFindingsCta"] 29:T474,Background.js lines 68282–68328 (GA v3 saga) and 68679–68738 (GA v4 saga): on `CLICK_EXTENSION_ICON` (debounce 400ms), both sagas query the active tab via `chrome.tabs.query({active:true})`, extract the tab URL via `getUrlFromTab`, compute `hostname = new URL(url).hostname` (line 68302 / 68700), then build event bodies. GA v3 `GAEvent.mapToRequestBody()` (background.js:9339–9359) sends `POST https://www.google-analytics.com/collect` with fields `tid=UA-35417772-32`, `cid=`, `uid=`, `cd6=`, `dh=`. GA v4 `Axiosv4EventSender.sendMany()` (background.js:68218–68223) sends `POST https://www.google-analytics.com/mp/collect?api_secret=VEdjd-r_QaSmUCfvM5Fudw&measurement_id=G-8BK7QDVC14` with body `{client_id, user_id, events:[{name:'plugin_icon_click', params:{ext_cid, domain_location:, browser, browser_version, language}}]}`. Both fire on ALL websites (content script matches ``). Gated by `getTrackingAnalyticsEnabled` (background.js:8637) which defaults to true (`settings.tracking.googleAnalytics`) unless user has been shown a permission prompt.2a:T474,Background.js lines 68282–68328 (GA v3 saga) and 68679–68738 (GA v4 saga): on `CLICK_EXTENSION_ICON` (debounce 400ms), both sagas query the active tab via `chrome.tabs.query({active:true})`, extract the tab URL via `getUrlFromTab`, compute `hostname = new URL(url).hostname` (line 68302 / 68700), then build event bodies. GA v3 `GAEvent.mapToRequestBody()` (background.js:9339–9359) sends `POST https://www.google-analytics.com/collect` with fields `tid=UA-35417772-32`, `cid=`, `uid=`, `cd6=`, `dh=`. GA v4 `Axiosv4EventSender.sendMany()` (background.js:68218–68223) sends `POST https://www.google-analytics.com/mp/collect?api_secret=VEdjd-r_QaSmUCfvM5Fudw&measurement_id=G-8BK7QDVC14` with body `{client_id, user_id, events:[{name:'plugin_icon_click', params:{ext_cid, domain_location:, browser, browser_version, language}}]}`. Both fire on ALL websites (content script matches ``). Gated by `getTrackingAnalyticsEnabled` (background.js:8637) which defaults to true (`settings.tracking.googleAnalytics`) unless user has been shown a permission prompt.26:["$","div","CWE-200-1",{"id":"finding-02","className":"border-border/60 bg-card/40 relative scroll-mt-24 overflow-hidden rounded-lg border px-3 py-4 sm:p-6","children":[["$","div",null,{"className":"absolute inset-y-0 left-0 w-[3px] bg-yellow-500","aria-hidden":true}],["$","$L25",null,{"claim":{"id":"f861f91e-61ca-4eb0-bf34-2e155f0fa0ac","slug":"case-f861f91e","cwe":"CWE-200","title":"Extension sends current tab hostname + persistent client ID to Google Analytics (UA-35417772-32 and G-8BK7QDVC14) on every extension icon click from any website","headline":"Extension sends current tab hostname + persistent client ID to Google Analytics (UA-35417772-32 and G-8BK7QDVC14) on every extension icon click from any website","userSummary":"alerabat.com | kupony i cashback has a medium-severity finding: Extension sends current tab hostname + persistent client ID to Google Analytics (UA-35417772-32 and G-8BK7QDVC14) on every extension icon click from any website","severity":"medium","verificationStatus":"pending","timeline":[{"icon":"user","actor":"user","label":"You install","detail":"Extension installed from the Chrome Web Store."},{"icon":"extension","actor":"extension","label":"user action required","detail":"Trigger condition: user action required."},{"icon":"request","actor":"extension","label":"Data collected","detail":"$29"},{"icon":"upload","actor":"remote","label":"Exfiltrated","detail":"Sent to www.google-analytics.com/collect."}],"blocks":[{"kind":"plain_note","title":"Mechanism","body":"$2a"}],"scaleMetrics":[],"trustTier":"ai-found","userActions":[]},"variant":"inline","expect

Is alerabat.com | kupony i cashback safe?

Findings