{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,1]],"date-time":"2026-05-01T22:36:15Z","timestamp":1777674975809,"version":"3.51.4"},"publisher-location":"New York, NY, USA","reference-count":83,"publisher":"ACM","license":[{"start":{"date-parts":[[2021,11,12]],"date-time":"2021-11-12T00:00:00Z","timestamp":1636675200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2021,11,12]]},"DOI":"10.1145\/3460120.3484745","type":"proceedings-article","created":{"date-parts":[[2021,11,13]],"date-time":"2021-11-13T12:05:34Z","timestamp":1636805134000},"page":"1789-1804","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":36,"title":["DoubleX: Statically Detecting Vulnerable Data Flows in Browser Extensions at Scale"],"prefix":"10.1145","author":[{"given":"Aurore","family":"Fass","sequence":"first","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Saarbruecken, Germany"}]},{"given":"Doli\u00e8re Francis","family":"Som\u00e9","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Saarbruecken, Germany"}]},{"given":"Michael","family":"Backes","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Saarbruecken, Germany"}]},{"given":"Ben","family":"Stock","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Saarbruecken, Germany"}]}],"member":"320","published-online":{"date-parts":[[2021,11,13]]},"reference":[{"key":"e_1_3_2_2_1_1","doi-asserted-by":"crossref","unstructured":"Anupama Aggarwal Bimal Viswanath Liang Zhang Saravana Kumar Ayush Shah and Ponnurangam Kumaraguru. 2018. I Spy with My Little Eye: Analysis and Detection of Spying Browser Extensions. In Euro S&P.","DOI":"10.1109\/EuroSP.2018.00012"},{"key":"e_1_3_2_2_2_1","volume-title":"Ullman","author":"Aho Alfred V.","year":"2006","unstructured":"Alfred V. Aho, Monica S. Lam, Ravi Sethi, and Jeffrey D. Ullman. 2006. Compilers: Principles, Techniques, and Tools (Second Edition). Addison Wesley. ISBN: 978-0321486813."},{"key":"e_1_3_2_2_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660193.2660214"},{"key":"e_1_3_2_2_4_1","doi-asserted-by":"crossref","unstructured":"Michael Backes Konrad Rieck Malte Skoruppa Ben Stock and Fabian Yamaguchi. 2017. Efficient and Flexible Discovery of PHP Application Vulnerabilities. In Euro S&P.","DOI":"10.1109\/EuroSP.2017.14"},{"key":"e_1_3_2_2_5_1","volume-title":"VEX: Vetting Browser Extensions for Security Vulnerabilities. In USENIX Security Symposium.","author":"Bandhakavi Sruthi","unstructured":"Sruthi Bandhakavi, Samuel T. Kingand P. Madhusudan, and Marianne Winslett. 2010. VEX: Vetting Browser Extensions for Security Vulnerabilities. In USENIX Security Symposium."},{"key":"e_1_3_2_2_6_1","doi-asserted-by":"crossref","unstructured":"Ahmet Salih Buyukkayhan Kaan Onarlioglu William Robertson and Engin Kirda. 2016. CrossFire: An Analysis of Firefox Extension-Reuse Vulnerabilities. In NDSS.","DOI":"10.14722\/ndss.2016.23149"},{"key":"e_1_3_2_2_7_1","doi-asserted-by":"crossref","unstructured":"Stefano Calzavara Michele Bugliesi Silvia Crafa and Enrico Steffinlongo. 2015. Fine-Grained Detection of Privilege Escalation Attacks on Browser Extensions. In Programming Languages and Systems.","DOI":"10.1007\/978-3-662-46669-8_21"},{"key":"e_1_3_2_2_8_1","volume-title":"An Evaluation of the Google Chrome Extension Security Architecture. In USENIX Security Symposium.","author":"Carlini Nicholas","year":"2012","unstructured":"Nicholas Carlini, Adrienne Porter Felt, and David Wagner. 2012. An Evaluation of the Google Chrome Extension Security Architecture. In USENIX Security Symposium."},{"key":"e_1_3_2_2_9_1","volume-title":"Mystique: Uncovering Information Leakage from Browser Extensions. In CCS.","author":"Chen Quan","year":"2018","unstructured":"Quan Chen and Alexandros Kapravelos. 2018. Mystique: Uncovering Information Leakage from Browser Extensions. In CCS."},{"key":"e_1_3_2_2_10_1","unstructured":"chrome. [n. d.] a. Chrome Web Store Sitemap. https:\/\/chrome.google.com\/webstore\/sitemap. Accessed on 2021-04--25."},{"key":"e_1_3_2_2_11_1","unstructured":"chrome. [n. d.] b. chrome.extension. https:\/\/developer.chrome.com\/extensions\/extension. Accessed on 2021-04--21."},{"key":"e_1_3_2_2_12_1","unstructured":"chrome. [n. d.] c. chrome.runtime. https:\/\/developer.chrome.com\/docs\/extensions\/reference\/runtime. Accessed on 2021-04--29."},{"key":"e_1_3_2_2_13_1","unstructured":"chrome. [n. d.] d. chrome.tabs. https:\/\/developer.chrome.com\/extensions\/tabs. Accessed on 2021-04--21."},{"key":"e_1_3_2_2_14_1","unstructured":"chrome. [n. d.] e. Declare Permissions. https:\/\/developer.chrome.com\/docs\/extensions\/mv3\/declare_permissions. Accessed on 2021-04--21."},{"key":"e_1_3_2_2_15_1","unstructured":"chrome. [n. d.] f. externally_connectable. https:\/\/developer.chrome.com\/docs\/extensions\/mv3\/manifest\/externally_connectable\/. Accessed on 2021-04--21."},{"key":"e_1_3_2_2_16_1","unstructured":"chrome. [n. d.] g. How long will it take to review my item? https:\/\/developer.chrome.com\/docs\/webstore\/faq\/#faq-listing-108. Accessed on 2021-04--26."},{"key":"e_1_3_2_2_17_1","unstructured":"chrome. [n. d.] h. Manifest File Format. https:\/\/developer.chrome.com\/docs\/extensions\/mv3\/manifest. Accessed on 2021-04--25."},{"key":"e_1_3_2_2_18_1","unstructured":"chrome. [n. d.] i. Message Passing. https:\/\/developer.chrome.com\/docs\/extensions\/mv3\/messaging. Accessed on 2021-04--21."},{"key":"e_1_3_2_2_19_1","unstructured":"chrome. [n. d.] j. Migrating to Manifest V3. https:\/\/developer.chrome.com\/docs\/extensions\/mv3\/intro\/mv3-migration. Accessed on 2021-04--21."},{"key":"e_1_3_2_2_20_1","unstructured":"chrome. [n. d.] k. Overview of Manifest V3. https:\/\/developer.chrome.com\/docs\/extensions\/mv3\/intro\/mv3-overview\/. Accessed on 2021-04--29."},{"key":"e_1_3_2_2_21_1","unstructured":"chrome. [n. d.] l. The activeTab permission. https:\/\/developer.chrome.com\/docs\/extensions\/mv2\/manifest\/activeTab\/#what-activeTab-allows. Accessed on 2021-04--21."},{"key":"e_1_3_2_2_22_1","unstructured":"chrome. [n. d.] m. Themes. https:\/\/developer.chrome.com\/extensions\/themes. Accessed on 2021-04--25."},{"key":"e_1_3_2_2_23_1","unstructured":"Chromium. [n. d.]. Changes to Cross-Origin Requests in Chrome Extension Content Scripts. https:\/\/www.chromium.org\/Home\/chromium-security\/extension-content-script-fetches. Accessed on 2021-04--21."},{"key":"e_1_3_2_2_24_1","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2019\/648"},{"key":"e_1_3_2_2_25_1","unstructured":"Ecma International. [n. d.]. ECMAScript 2020 Language Specification. https:\/\/262.ecma-international.org\/11.0. Accessed on 2021-04--21."},{"key":"e_1_3_2_2_26_1","unstructured":"Extension Monitor. [n. d.]. Breaking Down the Chrome Web Store. https:\/\/extensionmonitor.com\/blog\/breaking-down-the-chrome-web-store-part-1. Accessed on 2021-04--25."},{"key":"e_1_3_2_2_27_1","unstructured":"Aurore Fass. [n. d.]. DoubleX: Statically Detecting Vulnerable Data Flows in Browser Extensions at Scale. https:\/\/github.com\/Aurore54F\/DoubleX."},{"key":"e_1_3_2_2_28_1","doi-asserted-by":"crossref","unstructured":"Aurore Fass Michael Backes and Ben Stock. 2019 a. HideNoSeek: Camouflaging Malicious JavaScript in Benign ASTs. In CCS. Code repository: https:\/\/github.com\/Aurore54F\/HideNoSeek.","DOI":"10.1145\/3319535.3345656"},{"key":"e_1_3_2_2_29_1","doi-asserted-by":"crossref","unstructured":"Aurore Fass Michael Backes and Ben Stock. 2019 b. JStap: A Static Pre-Filter for Malicious JavaScript Detection. In ACSAC. Code repository: https:\/\/github.com\/Aurore54F\/JStap.","DOI":"10.1145\/3359789.3359813"},{"key":"e_1_3_2_2_30_1","volume-title":"Semi-Automatic Rename Refactoring for JavaScript. In Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA).","author":"Feldthaus Asger","year":"2013","unstructured":"Asger Feldthaus and Anders M\u00f8ller. 2013. Semi-Automatic Rename Refactoring for JavaScript. In Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA)."},{"key":"e_1_3_2_2_31_1","volume-title":"Warren","author":"Ferrante Jeanne","year":"1987","unstructured":"Jeanne Ferrante, Karl J. Ottenstein, and Joe D. Warren. 1987. The Program Dependence Graph and Its Use in Optimization. ACM Transactions on Programming Languages and Systems (TOPLAS) (1987)."},{"key":"e_1_3_2_2_32_1","unstructured":"HyungSeok Han DongHyeon Oh and Sang Kil Cha. 2019. CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines. In NDSS."},{"key":"e_1_3_2_2_33_1","unstructured":"Ariya Hidayat. [n. d.] a. ECMAScript Parsing Infrastructure for Multipurpose Analysis. http:\/\/esprima.org. Accessed on 2021-04--29."},{"key":"e_1_3_2_2_34_1","unstructured":"Ariya Hidayat. [n. d.] b. Esprima. https:\/\/github.com\/jquery\/esprima. Accessed on 2021-04--29."},{"key":"e_1_3_2_2_35_1","volume-title":"USENIX Security Symposium.","author":"Jagpal Nav","year":"2015","unstructured":"Nav Jagpal, Eric Dingle, Jean-Philippe Gravel, Panayiotis Mavrommatis, Niels Provos, Moheeb Abu Rajab, and Kurt Thomas. 2015. Trends and Lessons from Three Years Fighting Malicious Extensions. In USENIX Security Symposium."},{"key":"e_1_3_2_2_36_1","volume-title":"Remedying the Eval That Men Do. In International Symposium on Software Testing and Analysis (ISSTA).","author":"Jensen Simon Holm","year":"2012","unstructured":"Simon Holm Jensen, Peter A. Jonsson, and Anders M\u00f8ller. 2012. Remedying the Eval That Men Do. In International Symposium on Software Testing and Analysis (ISSTA)."},{"key":"e_1_3_2_2_37_1","volume-title":"Type Analysis for JavaScript. In International Symposium on Static Analysis (SAS).","author":"Jensen Simon Holm","year":"2009","unstructured":"Simon Holm Jensen, Anders M\u00f8ller, and Peter Thiemann. 2009. Type Analysis for JavaScript. In International Symposium on Static Analysis (SAS)."},{"key":"e_1_3_2_2_38_1","volume-title":"Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In S&P.","author":"Jovanovic Nenad","year":"2006","unstructured":"Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. 2006. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In S&P."},{"key":"e_1_3_2_2_39_1","volume-title":"Hulk: Eliciting Malicious Behavior in Browser Extensions. In USENIX Security Symposium.","author":"Kapravelos Alexandros","year":"2014","unstructured":"Alexandros Kapravelos, Chris Grier, Neha Chachra, Christopher Kruegel, Giovanni Vigna, and Vern Paxson. 2014. Hulk: Eliciting Malicious Behavior in Browser Extensions. In USENIX Security Symposium."},{"key":"e_1_3_2_2_40_1","volume-title":"Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting. In NDSS.","author":"Karami Soroush","year":"2020","unstructured":"Soroush Karami, Panagiotis Ilia, Konstantinos Solomos, and Jason Polakis. 2020. Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting. In NDSS."},{"key":"e_1_3_2_2_41_1","unstructured":"Jamila Kaya and Jacob Rickerd. [n. d.]. Security Researchers Partner With Chrome To Take Down Browser Extension Fraud Network Affecting Millions of Users. https:\/\/duo.com\/labs\/research\/crxcavator-malvertising-2020. Accessed on 2021-04--27."},{"key":"e_1_3_2_2_42_1","unstructured":"Ravie Lakshmanan. [n. d.] a. 49 New Google Chrome Extensions Caught Hijacking Cryptocurrency Wallets. https:\/\/thehackernews.com\/2020\/04\/chrome-cryptocurrency-extensions.html. Accessed on 2021-04--27."},{"key":"e_1_3_2_2_43_1","unstructured":"Ravie Lakshmanan. [n. d.] b. Over a Dozen Chrome Extensions Caught Hijacking Google Search Results for Millions. https:\/\/thehackernews.com\/2021\/02\/over-dozen-chrome-extensions-caught.html. Accessed on 2021-04--27."},{"key":"e_1_3_2_2_44_1","volume-title":"USENIX Security Symposium.","author":"Laperdrix Pierre","year":"2021","unstructured":"Pierre Laperdrix, Oleksii Starov, Quan Chen, Alexandros Kapravelos, and Nick Nikiforakis. 2021. Fingerprinting in Style: Detecting Browser Extensions via Injected Style Sheets. In USENIX Security Symposium."},{"key":"e_1_3_2_2_45_1","volume-title":"Montage: A Neural Network Language Model-Guided JavaScript Engine Fuzzer. In USENIX Security Symposium.","author":"Lee Suyoung","year":"2020","unstructured":"Suyoung Lee, HyungSeok Han, Sang Kil Cha, and Sooel Son. 2020. Montage: A Neural Network Language Model-Guided JavaScript Engine Fuzzer. In USENIX Security Symposium."},{"key":"e_1_3_2_2_46_1","unstructured":"Einar Lielmanis. [n. d.]. js-beautify. https:\/\/www.npmjs.com\/package\/js-beautify. Accessed on 2021-04--25."},{"key":"e_1_3_2_2_47_1","volume-title":"Samuel Z. Guyer, Uday P. Khedker, Anders M\u00f8ller, and Dimitrios Vardoulakis.","author":"Livshits Benjamin","year":"2015","unstructured":"Benjamin Livshits, Manu Sridharan, Yannis Smaragdakis, Ondvrej Lhot\u00e1k, J. Nelson Amaral, Bor-Yuh Evan Chang, Samuel Z. Guyer, Uday P. Khedker, Anders M\u00f8ller, and Dimitrios Vardoulakis. 2015. In Defense of Soundiness: A Manifesto. In Communications of the ACM."},{"key":"e_1_3_2_2_48_1","unstructured":"Joseph Menn. [n. d.]. Exclusive: Massive spying on users of Google's Chrome shows new security weakness. https:\/\/www.reuters.com\/article\/us-alphabet-google-chrome-exclusive\/exclusive-massive-spying-on-users-of-googles-chrome-shows-new-security-weakness-idUSKBN23P0JO?il=0. Accessed on 2021-04--27."},{"key":"e_1_3_2_2_49_1","unstructured":"Katherine L. Monti. 1995. Folded Empirical Distribution Function Curves (Mountain Plots). In The American Statistician."},{"key":"e_1_3_2_2_50_1","doi-asserted-by":"crossref","unstructured":"Marvin Moog Markus Demmel Michael Backes and Aurore Fass. 2021. Statically Detecting JavaScript Obfuscation and Minification Techniques in the Wild. In Dependable Systems and Networks (DSN).","DOI":"10.1109\/DSN48987.2021.00065"},{"key":"e_1_3_2_2_51_1","unstructured":"Mozilla. [n. d.]. Firefox Browser Add-ons: Extensions. https:\/\/addons.mozilla.org\/en-US\/firefox\/extensions. Accessed on 2021-04--25."},{"key":"e_1_3_2_2_52_1","unstructured":"Mozilla Developer Network. [n. d.]. XPCOM Interfaces. https:\/\/developer.mozilla.org\/en-US\/docs\/Archive\/Mozilla\/XUL\/Tutorial\/XPCOM_Interfaces. Accessed on 2021-04--29."},{"key":"e_1_3_2_2_53_1","unstructured":"Mozilla Developer Network. [n. d.] a. Content Security Policy (CSP). https:\/\/developer.mozilla.org\/en-US\/docs\/Mozilla\/Add-ons\/WebExtensions\/manifest.json\/content_security_policy. Accessed on 2021-04--21."},{"key":"e_1_3_2_2_54_1","unstructured":"Mozilla Developer Network. [n. d.] b. Cross-Origin Resource Sharing (CORS). https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/CORS. Accessed on 2021-07--30."},{"key":"e_1_3_2_2_55_1","unstructured":"Mozilla Developer Network. [n. d.] c. EventTarget.addEventListener(). https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/API\/EventTarget\/addEventListener. Accessed on 2021-04--21."},{"key":"e_1_3_2_2_56_1","unstructured":"Mozilla Developer Network. [n. d.] d. Functions. https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/JavaScript\/Reference\/Functions. Accessed on 2021-04--29."},{"key":"e_1_3_2_2_57_1","unstructured":"Mozilla Developer Network. [n. d.] e. manifest.json: permissions. https:\/\/developer.mozilla.org\/en-US\/docs\/Mozilla\/Add-ons\/WebExtensions\/manifest.json\/permissions. Accessed on 2021-04--21."},{"key":"e_1_3_2_2_58_1","unstructured":"Mozilla Developer Network. [n. d.] f. Promise. https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/JavaScript\/Reference\/Global_Objects\/Promise. Accessed on 2021-04--21."},{"key":"e_1_3_2_2_59_1","unstructured":"Mozilla Developer Network. [n. d.] g. Same-origin policy. https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/Security\/Same-origin_policy. Accessed on 2021-04--29."},{"key":"e_1_3_2_2_60_1","unstructured":"Mozilla Developer Network. [n. d.] h. tabs.executeScript(). https:\/\/developer.mozilla.org\/en-US\/docs\/Mozilla\/Add-ons\/WebExtensions\/API\/tabs\/executeScript. Accessed on 2021-04--21."},{"key":"e_1_3_2_2_61_1","unstructured":"Mozilla Developer Network. [n. d.] i. WindowEventHandlers.onmessage. https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/API\/WindowEventHandlers\/onmessage. Accessed on 2021-04--21."},{"key":"e_1_3_2_2_62_1","unstructured":"Mozilla Developer Network. [n. d.] j. Window.postMessage(). https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/API\/Window\/postMessage. Accessed on 2021-04--21."},{"key":"e_1_3_2_2_63_1","unstructured":"Tomasz Andrzej Nidecki. [n. d.]. Mutation XSS in Google Search. https:\/\/www.acunetix.com\/blog\/web-security-zone\/mutation-xss-in-google-search. Accessed on 2021-04--21."},{"key":"e_1_3_2_2_64_1","unstructured":"Erlend Oftedal. [n. d.]. Retire.js: What you require you must also retire. https:\/\/retirejs.github.io\/retire.js. Accessed on 2021-04--25."},{"key":"e_1_3_2_2_65_1","doi-asserted-by":"crossref","unstructured":"Xiang Pan Yinzhi Cao Shuangping Liu Yu Zhou Yan Chen and Tingzhe Zhou. 2016. CSPAutoGen: Black-box Enforcement of Content Security Policy upon Real-world Websites. In CCS.","DOI":"10.1145\/2976749.2978384"},{"key":"e_1_3_2_2_66_1","doi-asserted-by":"crossref","unstructured":"Nikolaos Pantelaios Nick Nikiforakis and Alexandros Kapravelos. 2020. You've Changed: Detecting Malicious Browser Extensions through their Update Deltas. In CCS.","DOI":"10.1145\/3372297.3423343"},{"key":"e_1_3_2_2_67_1","doi-asserted-by":"crossref","unstructured":"Inian Parameshwaran Enrico Budianto Shweta Shinde Hung Dang Atul Sadhu and Prateek Saxena. 2015. DexterJS: Robust Testing Platform for DOM-based XSS Vulnerabilities. In Foundations of Software Engineering.","DOI":"10.1145\/2786805.2803191"},{"key":"e_1_3_2_2_68_1","unstructured":"puppeteer. [n. d.]. puppeteer. https:\/\/github.com\/puppeteer\/puppeteer. Accessed on 2021-04--25."},{"key":"e_1_3_2_2_69_1","volume-title":"Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies. In USENIX Security Symposium.","author":"S\u00e1nchez-Rola Iskander","year":"2017","unstructured":"Iskander S\u00e1nchez-Rola, Igor Santos, and Davide Balzarotti. 2017. Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies. In USENIX Security Symposium."},{"key":"e_1_3_2_2_70_1","doi-asserted-by":"publisher","DOI":"10.1145\/3029806.3029820"},{"key":"e_1_3_2_2_71_1","unstructured":"Doli\u00e8re Som\u00e9. [n. d.]. extsanalyzer (EmPoWeb). https:\/\/gitlab.com\/doliere\/extsanalyzer. Accessed on 2021-04--29."},{"key":"e_1_3_2_2_72_1","unstructured":"Doli\u00e8re Francis Som\u00e9. 2019. EmPoWeb: Empowering Web Applications with Browser Extensions. In S&P."},{"key":"e_1_3_2_2_73_1","doi-asserted-by":"crossref","unstructured":"Pratik Soni Enrico Budianto and Prateek Saxena. 2015. The textscSicilian Defense: Signature-Based Whitelisting of Web JavaScript. In CCS.","DOI":"10.1145\/2810103.2813710"},{"key":"e_1_3_2_2_74_1","volume-title":"SYNODE: Understanding and Automatically Preventing Injection Attacks on NODE.JS. In NDSS.","author":"Staicu Cristian-Alexandru","year":"2018","unstructured":"Cristian-Alexandru Staicu, Michael Pradel, and Benjamin Livshits. 2018. SYNODE: Understanding and Automatically Preventing Injection Attacks on NODE.JS. In NDSS."},{"key":"e_1_3_2_2_75_1","volume-title":"Unnecessarily Identifiable: Quantifying the fingerprintability of browser extensions due to bloat. In WWW.","author":"Starov Oleksii","year":"2019","unstructured":"Oleksii Starov, Pierre Laperdrix, Alexandros Kapravelos, and Nick Nikiforakis. 2019. Unnecessarily Identifiable: Quantifying the fingerprintability of browser extensions due to bloat. In WWW."},{"key":"e_1_3_2_2_76_1","doi-asserted-by":"crossref","unstructured":"Oleksii Starov and Nick Nikiforakis. 2017a. Extended Tracking Powers: Measuring the Privacy Diffusion Enabled by Browser Extensions. In WWW.","DOI":"10.1145\/3038912.3052596"},{"key":"e_1_3_2_2_77_1","volume-title":"XHOUND: Quantifying the Fingerprintability of Browser Extensions. In S&P.","author":"Starov Oleksii","year":"2017","unstructured":"Oleksii Starov and Nick Nikiforakis. 2017b. XHOUND: Quantifying the Fingerprintability of Browser Extensions. In S&P."},{"key":"e_1_3_2_2_78_1","unstructured":"StatCounter. [n. d.]. Desktop Browser Market Share Worldwide. https:\/\/gs.statcounter.com\/browser-market-share\/desktop\/worldwide. Accessed on 2021-04--25."},{"key":"e_1_3_2_2_79_1","volume-title":"Bor-Yuh Evan Chang, and Anders M\u00f8ller.","author":"Stein Benno","year":"2019","unstructured":"Benno Stein, Benjamin Barslev Nielsen, Bor-Yuh Evan Chang, and Anders M\u00f8ller. 2019. Static Analysis with Demand-Driven Value Refinement. In ACM on Programming Languages."},{"key":"e_1_3_2_2_80_1","volume-title":"How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security. In USENIX Security Symposium.","author":"Stock Ben","year":"2017","unstructured":"Ben Stock, Martin Johns, Marius Steffens, and Michael Backes. 2017. How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security. In USENIX Security Symposium."},{"key":"e_1_3_2_2_81_1","volume-title":"An Empirical Study of Dangerous Behaviors in Firefox Extensions. In International Conference on Information Security (ISC).","author":"Wang Jiangang","year":"2012","unstructured":"Jiangang Wang, Xiaohong Li, Xuhui Liu, Xinshu Dong, Junjie Wang, Zhenkai Liang, and Zhiyong Feng. 2012. An Empirical Study of Dangerous Behaviors in Firefox Extensions. In International Conference on Information Security (ISC)."},{"key":"e_1_3_2_2_82_1","doi-asserted-by":"crossref","unstructured":"Michael Weissbacher Enrico Mariconti Guillermo Suarez-Tangil Gianluca Stringhini William Robertson and Engin Kirda. 2017. Ex-Ray: Detection of History-Leaking Browser Extensions. In ACSAC.","DOI":"10.1145\/3134600.3134632"},{"key":"e_1_3_2_2_83_1","doi-asserted-by":"crossref","unstructured":"Fabian Yamaguchi Nico Golde Daniel Arp and Konrad Rieck. 2014. Modeling and Discovering Vulnerabilities with Code Property Graphs. In S&P.","DOI":"10.1109\/SP.2014.44"}],"event":{"name":"CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security","location":"Virtual Event Republic of Korea","acronym":"CCS '21","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3460120.3484745","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3460120.3484745","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,18]],"date-time":"2025-11-18T20:49:34Z","timestamp":1763498974000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3460120.3484745"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,11,12]]},"references-count":83,"alternative-id":["10.1145\/3460120.3484745","10.1145\/3460120"],"URL":"https:\/\/doi.org\/10.1145\/3460120.3484745","relation":{},"subject":[],"published":{"date-parts":[[2021,11,12]]},"assertion":[{"value":"2021-11-13","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}