In a nutshell: A widely used YouTube ad blocker extension possesses the capability to execute arbitrary JavaScript code, presenting a significant security risk to its large user base.
A Chrome extension for blocking YouTube ads (ID: cmedhionkhpnakcndndgjdbohmhepckk) with over 10 million installations contains dormant code injection functions that enable arbitrary JavaScript execution.
Security firm Island has identified a critical vulnerability in the Chrome extension “Adblock for YouTube”. The extension is offered via the Chrome Web Store with a Featured Badge and has more than 10 million installations.
The plugin is capable of executing arbitrary JavaScript code. While this functionality is currently dormant (inactive), it is maintained by the extension and could be activated remotely. For CISOs, this represents a risk in the context of browser security and supply chain integrity: millions of users could potentially be compromised if the extension were hacked or manipulated.
A comprehensive analysis of the extension code by Island revealed these script injection functions. The incident response team should verify whether this or similar extensions are prevalent in the organizational environment and reassess corresponding policies for monitoring Chrome plugins.
Source: thehackernews.com · Published 25 June 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.