Santh

**Name of the Vulnerable Software and Affected Versions** Securly Chrome Extension version 3.0.7 **Description** The extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP using the Fetch API. This represents an inconsistent implementation of Transport Layer Security (TLS), as other endpoints within the same extension correctly utilize HTTPS to fetch IWF and CIPA data. **Recommendations** Update Securly Chrome Extension version 3.0.7 to a version that ensures all data is fetched over HTTPS.

**Name of the Vulnerable Software and Affected Versions** Securly Chrome Extension version 3.0.7 **Description** The software contains hardcoded, plaintext AES passphrases within the `securly.min.js` file. These passphrases are used to decrypt intervention site data and crisis alert keyword data. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Securly Chrome Extension version 3.0.7 **Description** Multiple publicly accessible endpoints allow unauthenticated access to sensitive data. The exposed information consists of SHA-1 hashes (a cryptographic hash function that produces a 160-bit output) that are inadequately obfuscated using a simple Caesar cipher (a substitution cipher where each letter in the plaintext is shifted a certain number of places down the alphabet), which can be easily reversed to recover the original hash values and access the protected data. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Securly Chrome Extension version 3.0.7 **Description** The software dynamically registers `content13.min.js` as a content script at runtime using the `chrome.scripting.registerContentScripts()` function. Because this script is not declared in the `manifest.json` file, it bypasses the Chrome Web Store static security review. The script executes on all URLs, hiding all page content, creating a full-page overlay, and pausing all videos. Content is only restored after the service worker confirms the page passes filtering; however, if the servers are unreachable, the pages remain hidden indefinitely. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Securly Chrome Extension version 3.0.7 **Description** The software uses the `EVP BytesToKey` key derivation function with MD5 and a single iteration for AES encryption. MD5 is a cryptographic hash function that is no longer secure, and the use of a single iteration fails to provide key stretching, which is the process of making a weak key stronger by increasing the time it takes to test each possible key. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Securly Chrome Extension version 3.0.7 **Description** The software downloads `config.json` over HTTP and compiles server-provided patterns as JavaScript regular expressions using the `new RegExp()` function without complexity validation. An on-path attacker can inject specific patterns to cause catastrophic backtracking, which is a state where a regular expression engine takes an exponential amount of time to determine if a string matches a pattern, resulting in a denial of service for all browsing. **Recommendations** Update Securly Chrome Extension to a version newer than 3.0.7. As a temporary workaround, restrict the use of the `new RegExp()` function for processing server-provided patterns until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Securly Chrome Extension version 3.0.7 **Description** The software uses deprecated SHA-1 hashing for IWF CSAM URL matching and CIPA blocklist matching. SHA-1 is a cryptographic hash function that is no longer considered secure against well-funded attackers. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.