I’ve been checking some suspicious extensions and I’ve found one (in Chrome store) that uses slightly modified “jQuery v3.2.1” library.
The original:
accepts: {"*": Kb, text: "text/plain", html: "text/html", xml: "application/xml, text/xml", json: "application/json, text/javascript"},
Modified:
accepts: {"*": Kb, text: "text/plain", html: "text/сomponents", xml: "application/xml, text/xml", json: "application/json, text/javascript"},
The difference is, that the modified one accepts “text/сomponents”.
But how can this help the attacker?
UPDATE:
Did you noticed, the “c” in the “text/сomponents” string is not a “c”?
It’s actually a Unicode: U+0441, a Cyrillic “s”. But I can’t tell how this helps anyone…