SN Utils Security Audit - Complete Analysis

Security Verdict: SAFE

After analyzing 90 files containing 64,670 lines of code, this audit confirms that SN Utils does NOT phone home or transmit data to external servers.

All Network Calls

Target only user's ServiceNow instance (relative URLs) or localhost WebSocket

No Tracking/Analytics

Zero telemetry, beacons, or data collection code found

CSP Enforced

Content Security Policy blocks all external connections

Network Communication

External HTTP/HTTPS	0 calls
ServiceNow API (relative)	41 calls
WebSocket (localhost only)	1 call
sendBeacon / EventSource	0 calls
RTCPeerConnection	0 calls

Code Execution Vectors

eval()	0 (excl. Monaco)
new Function()	0 (excl. Monaco)
Remote script loading	0
Dynamic script.src (local)	6
innerHTML/insertAdjacentHTML	DOMPurify sanitized

Content Security Policy (manifest.json:112)

"content_security_policy": {
  "extension_pages": "default-src 'self';
    style-src 'self' 'unsafe-inline';
    img-src https://*.service-now.com 'self' data:;
    child-src 'none'; object-src 'none';
    frame-src https://*.service-now.com;
    connect-src https://*.service-now.com ws://127.0.0.1:1978/"
}

Key finding: The connect-src directive explicitly restricts ALL network connections to only ServiceNow domains and localhost:1978 WebSocket. This is browser-enforced and cannot be bypassed by extension code.

Only External-Looking Connection: WebSocket to Localhost

function connect() {
    ws = new WebSocket("ws://127.0.0.1:1978");
    ws.onerror = function (evt) {
        // Connection error handling

What it does

Connects to VS Code extension "sn-scriptsync" running on the same machine for live code editing

Why it's safe

127.0.0.1 is localhost - never leaves your machine. Requires VS Code extension running locally.

Audit Methodology

Patterns Searched (Regex)

Network APIs

fetch\s*\(
XMLHttpRequest|new\s+XMLHttpRequest
WebSocket|new\s+WebSocket
navigator\.sendBeacon
EventSource|new\s+EventSource
RTCPeerConnection

URLs & Domains

https?://
wss?://
\.com|\.net|\.org|\.io

Code Execution

eval\s*\(
new\s+Function\s*\(
createElement\s*\(\s*['"]script
\.src\s*=
import\s*\(

Suspicious Names

tracking|analytics|beacon
telemetry|ping|report
upload|sync|phone|send
atob|btoa

Clone Repository

Cloned from github.com/arnoudkooi/SN-Utils for local analysis

Enumerate All Files

Found 90 source files (JS, HTML, JSON, CSS) totaling 64,670 lines

Run Pattern Searches

Used ripgrep to search all patterns across entire codebase with line numbers and context

Manual Code Review

Read each flagged line with surrounding context to determine actual behavior

Classify All URLs

Every URL categorized as: ServiceNow relative, localhost, extension local, or external link

Verify Manifest Permissions

Analyzed all 6 manifest variants (Chrome, Firefox, Edge, Safari, On-prem)

Audit Third-Party Dependencies

Verified all 8 bundled libraries are local copies with no CDN loading

Complete File Inventory (90 files)

Core Extension Files (16 files, 12,541 lines)

JS background.js

1,284 lines 2 fetch ✓

JS inject.js

6,847 lines 18 fetch, 3 XHR ✓

JS popup.js

2,409 lines 6 fetch ✓

JS scriptsync.js

1,982 lines 1 WebSocket (localhost) ✓

JS inject_next.js

783 lines 0 network ✓

JS codesearch.js

531 lines 1 fetch ✓

JS viewdata.js

345 lines 3 fetch ✓

JS content_script_all_frames.js

187 lines 0 network ✓

JS content_script_parent.js

217 lines 1 fetch ✓

JS inject_parent.js

80 lines 0 network ✓

Supporting JS Files (js/ directory)

js/bgscript.js

1 fetch (form submit) ✓

js/bgscriptmodern.js

1 fetch (form submit) ✓

js/sidepanel.js

0 network ✓

js/snippets.js

0 network ✓

js/instancetag.js

0 network ✓

js/inject_flow.js

0 network ✓

js/theme-toggle.js

0 network ✓

js/monaco/codeeditor.js

2 fetch (SN API) ✓

js/monaco/diff.js

2 fetch (compare) ✓

js/monaco/settingeditor.js

0 network ✓

Bundled Libraries (All Local - No CDN)

js/jquery.min.js ✓ Local bundle

js/bootstrap.bundle.min.js ✓ Local bundle (v5.3.2)

js/datatables.min.js ✓ Local bundle (v1.13.4)

js/moment.js ✓ Local bundle

js/purify.min.js ✓ DOMPurify v3.2.6

js/md5.js ✓ Local bundle

js/Tinycon.js ✓ Local bundle

js/monaco/* (24 files) ✓ Monaco Editor (local)

HTML Files (10 files)

All HTML files load scripts only from local extension files (no external CDN):

popup.html
scriptsync.html
codesearch.html
codeeditor.html
diff.html
viewdata.html
sidepanel.html
snippets.html
settingeditor.html
welcome.html

Manifest Files (6 variants)

manifest.json (Chrome) ✓ CSP enforced

publish/manifest-edge.json ✓ CSP enforced

publish/manifest-firefox.json ✓ CSP enforced

publish/manifest-safari.json ✓ CSP enforced

publish/manifest-onprem.json ⚠ <all_urls> (required for on-prem)

publish/manifest-firefox-onprem.json ⚠ <all_urls> (required for on-prem)

All Network Calls with Context

fetch() Calls (38 total) All to ServiceNow or local

background.js line 943

// Cancel user transactions on instance
fetch(url + '/cancel_my_transactions.do', {}, r => {

✓ Relative URL - cancels transactions on user's ServiceNow instance

inject.js line 1237

fetch("/api/now/ui/concoursepicker/language", {
    method: "GET",
    headers: { "X-UserToken": g_ck }
})

✓ ServiceNow UI API - gets language settings

inject.js line 5203

fetch(`/api/now/ui/impersonate/role`, {
    method: "GET",
    headers: { "X-UserToken": g_ck }
})

✓ ServiceNow impersonation API

popup.js line 167

fetch(chrome.runtime.getURL('CHANGELOG.md'))
    .then(response => response.text())

✓ Local extension file - NOT a network call

... and 34 more fetch() calls, all following the same pattern: relative URLs to ServiceNow APIs or local extension files.

XMLHttpRequest (3 total) All to ServiceNow

inject.js line 4140-4141

var client = new XMLHttpRequest();
client.open("put", "/api/now/table/sys_attachment/" + sysID);
client.setRequestHeader('Accept', 'application/json');

✓ Renames attachment - relative URL to ServiceNow Table API

inject.js line 5253-5255

var client = new XMLHttpRequest();
if (query)
    client.open("get", "api/now/table/sys_user?...");

✓ Gets users for impersonation - ServiceNow User API

inject.js line 5563-5564

var client = new XMLHttpRequest();
client.open("get", "notfoundthispage.do", false);

✓ Checks impersonation status - calls nonexistent page to check response

WebSocket (1 total) Localhost only

scriptsync.js line 160

function connect() {
    ws = new WebSocket("ws://127.0.0.1:1978");
    ws.onerror = function (evt) {

127.0.0.1 is localhost - this connection never leaves your machine. It's for communicating with the VS Code "sn-scriptsync" extension for live code editing.

Security: Instance URL Validation safeFetch wrapper

scriptsync.js lines 336-351

// I add a safeFetch wrapper that only allows approved instance URLs
function isApprovedInstanceUrl(rawUrl) {
  return scriptsyncinstances?.allowed?.includes(rawUrl);
}
async function safeFetch(path, rawUrl, init) {
  if (!isApprovedInstanceUrl(rawUrl)) {
    throw new Error(`Fetch to unapproved instance URL blocked: ${rawUrl}`);
  }
  let url;
  try {
    url = new URL(path, rawUrl).toString();
  } catch (e) {
    throw new Error(`Invalid URL: ${e.message}`);
  }
  return fetch(url, init);
}

Security control: This wrapper validates that all API requests in scriptsync only go to user-approved ServiceNow instances. URLs must be explicitly added to the allowlist by the user.

Chrome Storage & Extension APIs

chrome.storage.sync Usage

Syncs via user's Chrome/Firefox account - standard browser feature, not external telemetry

Key	Purpose	Sensitive?
changelog_seen_version	Tracks which changelog user has seen	No
snusettings	User preferences (UI options)	No
instancetag	Instance color/label settings	No
{instance}-slashcommands	Custom slash commands per instance	No

chrome.storage.local Usage

Local only - does NOT sync externally

Key	Purpose
popupSize	Remember popup window dimensions
scriptsyncinstances	Allowed/blocked instance URLs for scriptsync
synctab	Tab ID for scriptsync helper

Manifest Permissions Analysis

Chrome Manifest Permissions

"permissions": [
  "activeTab",
  "declarativeContent",
  "storage",
  "contextMenus",
  "cookies",
  "sidePanel"
],
"host_permissions": [
  "https://*.service-now.com/*"
]

✓ Minimal permissions. Host access limited to ServiceNow domains only.

On-Prem Manifest Note

The on-prem version uses <all_urls> and *://*/* because on-premises ServiceNow instances use custom domains (not *.service-now.com). This is expected and documented in PRIVACY.md.

All Search Patterns & Results

fetch\s*\( 38 matches - all safe

All fetch calls use relative URLs to ServiceNow or chrome.runtime.getURL()

new XMLHttpRequest 3 matches - all safe

All XHR calls use relative URLs to ServiceNow APIs

new WebSocket 1 match - localhost only

Single WebSocket to ws://127.0.0.1:1978 for VS Code integration

sendBeacon|EventSource|RTCPeerConnection 0 matches

No tracking beacons, SSE, or WebRTC found

eval\( 0 matches (excluding Monaco)

No eval() in extension code. Monaco editor has standard eval for code execution.

tracking|analytics|telemetry|beacon 0 suspicious matches

Found in ServiceNow table names (sys_report) only, not telemetry code

createElement('script') 6 matches - all local

All use chrome.runtime.getURL() or snusettings.extensionUrl for local files

Third-Party Dependencies Security Audit

Total Libraries

No Known CVEs

Maintenance Mode

Active CVEs

All Dependencies Bundled Locally

All third-party libraries are included directly in the extension package. No external CDN dependencies. No network calls to fetch dependencies at runtime.

SAFE jQuery v3.7.1 0 CVEs

Library Details

File:	js/jquery.min.js
License:	MIT
Latest:	3.7.1 (current)
Source:	jquery.com

Security Analysis

No CVEs reported for v3.7.1 (2024-2025)

All historical XSS vulnerabilities patched

Running latest stable version

Sources: Snyk, CVE Details

SAFE Bootstrap v5.3.2 0 CVEs

Library Details

Files:	js/bootstrap.bundle.min.js, css/bootstrap.min.css
License:	MIT
Latest:	5.3.3 (one minor behind)
Source:	getbootstrap.com

Security Analysis

No CVEs affect v5.3.2

CVE-2024-6484/6485/6531 affect Bootstrap 3-4 only

CVE-2025-1647 affects Bootstrap 3 only

Sources: Snyk, CVE Details

SAFE DOMPurify v3.2.6 0 Active CVEs

Library Details

File:	js/purify.min.js
License:	Apache 2.0 / MPL 2.0
Latest:	3.3.1 (patch available)
Source:	cure53/DOMPurify

Security Analysis

CVE-2024-47875 (mXSS) fixed in 3.1.3

CVE-2025-26791 fixed in 3.2.4

v3.2.6 includes prototype pollution hardening

Purpose: XSS sanitization library used to safely render user-generated HTML content. Critical security component.

Sources: Snyk, GitHub Releases

SAFE Monaco Editor v0.43.0 0 CVEs

Library Details

Files:	js/monaco/vs/* (40+ files)
License:	MIT
Latest:	0.52.x (several versions behind)
Source:	microsoft/monaco-editor

Security Analysis

No CVEs reported for v0.43.0

VS Code's official editor component

Contains eval() - expected for code editor

Purpose: Powers the inline code editor for script editing. Used for JS, CSS, HTML, and XML syntax highlighting.

SAFE DataTables v1.13.4 0 Active CVEs

Library Details

Files:	js/datatables.min.js, css/datatables.min.css
License:	MIT
Includes:	AutoFill 2.5.3, Buttons 2.3.6, HTML5 export 2.3.6
Source:	datatables.net

Security Analysis

CVE-2021-23445 fixed in 1.11.3 (this is 1.13.4)

Known prototype pollution - low risk in browser context

No 2024-2025 CVEs reported

Sources: Snyk, DataTables Forum

MAINTENANCE Moment.js v2.29.x Deprecated

Library Details

File:	js/moment.js
License:	MIT
Status:	Maintenance mode since 2020
Source:	momentjs.com

Security Analysis

CVE-2022-31129 (ReDoS) fixed in 2.29.4

CVE-2022-24785 (path traversal) patched

No new CVEs in 2024-2025

Note: Moment.js is in maintenance mode. The team recommends Luxon, Day.js, or native JS Date/Intl for new projects. However, it remains safe for existing use with latest patches applied.

Sources: Snyk, Moment.js Docs

SAFE Font Awesome v5.13.0 0 CVEs

Library Details

Files:	css/font-awesome.min.css, webfonts/*
License:	CC BY 4.0 (Icons), MIT (Code)
Type:	CSS + Fonts only (no JS)
Source:	fontawesome.com

Security Analysis

No CVEs for Font Awesome 5.13.0

CSS/font files have minimal attack surface

Bundled locally (no CDN)

SAFE Tabulator (CSS only) 0 CVEs

Library Details

File:	css/tabulator.min.css
License:	MIT
Type:	CSS only (no JS component included)
Source:	tabulator.info

Security Analysis

No direct vulnerabilities found

CSS-only inclusion (minimal risk)

SAFE Blueimp MD5 (JavaScript-MD5) 0 CVEs

Library Details

File:	js/md5.js
License:	MIT
Author:	Sebastian Tschan (blueimp)
Source:	blueimp/JavaScript-MD5

Security Analysis

No CVEs reported for blueimp-md5

MD5 is cryptographically weak - don't use for passwords

OK for checksums/fingerprinting (likely use case)

SAFE Tinycon v0.6.x 0 CVEs

Library Details

File:	js/Tinycon.js
License:	MIT
Author:	Tom Moor
Source:	tommoor/tinycon

Security Analysis

No documented CVEs

Simple favicon badge manipulation library

Uses canvas API (no external calls)

Purpose: Adds notification badges/bubbles to browser favicons. Used for showing unread counts.

SAFE DataStream.js (Binary parser) 0 CVEs

Library Details

File:	js/DataStream.js
License:	Apache 2.0
Purpose:	Binary ArrayBuffer parsing

Security Analysis

No documented CVEs

Pure data parsing (no network calls)

Used with msg.reader for Outlook files

SAFE MSG Reader (Outlook .msg parser) 0 CVEs

Library Details

File:	js/msg.reader.js
License:	Apache 2.0
Author:	Yury Karpovich
Purpose:	Parse Outlook .msg files

Security Analysis

No documented CVEs

Local file parsing only

No network functionality

Dependency Security Summary

Key Findings

0 active CVEs affecting bundled versions
All libraries bundled locally - no CDN dependencies
DOMPurify included for XSS protection
All licenses permissive (MIT, Apache 2.0)

Recommendations

Consider upgrading Moment.js to Day.js or Luxon in future
Update DOMPurify to 3.3.1 when convenient
Consider updating Monaco Editor for latest features

Security checks performed: February 2026 | Sources: Snyk, NVD, CVE Details, GitHub Security Advisories