Browser extensions are small pieces of software that perform a specific function or add a new feature to your browser. They are a favorite target for attackers because they have special permissions within the browser client. These permissions can allow an attacker to steal passwords, and other data in the browser, as well as install malware.
Generally, it is ok to install browser extensions; however, you must be diligent with the extensions that you install to ensure new vulnerabilities aren’t introduced, keeping your device secure and your data private. Although no extension is guaranteed to be secure, follow the guidelines below to help ensure that the extensions you install are as safe as possible.
- Only install extensions from the trusted store for the browser client you are using. Each browser maintains a trusted store of extensions that, while not guaranteed to be secure, have been vetted by the browser client developers. Where available, links to the trusted store for each browser have been provided below.
- Only install extensions that are truly necessary and remove extensions that are no longer needed. Remember, every extension that is installed increases the potential attack surface you open to attackers.
- Review permissions regularly. Each extension installed will require certain permissions. Review the permissions of the extension and if anything seems questionable (for example, a calendar extension that asks to read and modify your browser history and/or change your privacy settings), it’s probably better to find a different extension.
For a deep dive into the safety of an extension use https://crxcavator.io to view a risk report on that extension. If the extension has a risk score above 500 or critical permission risks, do not install that extension.
Certain IT assets require specific security configurations to maintain regulatory or contractual compliance. Contact the Office of Cybersecurity Risk and Compliance at it.risk@vanderbilt.edu to have a risk assessment performed prior to installing a browser extension on an IT asset that:
- Contains data required to meet compliance with the Gramm-Leach-Bliley Act (GLBA), Payment Card Industry-Data Security Standard (PCI-DSS), or the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
- Is used to store, process, or analyze research data under a Data Use Agreement (DUA).
- Stores, processes, or analyzes Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) regulated by agencies of the Federal Government.
- Each browser has a different method for removing extensions. Please follow the guidelines below for your browser:
| Browser | Method |
| Microsoft Edge | In the upper right-hand corner of the window, click the “⋯” icon then click extensions and finally manage extensions. From this window you can turn off or remove installed extensions. |
| Google Chrome | In the upper right-hand corner of the window, click the “⋮” icon then click extensions and finally manage extensions. From this window you can turn off or remove installed extensions. |
| Mozilla Firefox | Click the “☰” menu icon, then click Add-ons and themes, and finally select Extensions. From this window you can turn off extensions or remove them by clicking the “⋯” icon next to the extension and selecting remove. |
| Safari | Click the Safari menu, then click preferences, and finally click Extensions. To disable an extension, uncheck the box next to its name. To remove an extension, click on it then choose uninstall. |
Not sure how to start?
Get in touch if you don’t know where to begin, you can’t find the guidance needed on the website, or if you just want to learn more. The Office of Cybersecurity has subject matter expertise and is here for Vanderbilt community to discuss security questions or concerns.