Malicious Code Compromise in Web Developer Chrome Extension by Chris Pederick
CVE-2017-20202

9.3CRITICAL

Key Information:

Vendor: Web Developer For Chrome
Status: Web Developer For Chrome
Vendor: CVE Published:; 8 October 2025

🔔 Create Web Developer For Chrome Vulnerability Alert

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2017-20202?

A compromise in the Web Developer for Chrome extension v0.4.9 enabled the execution of malicious code through a domain generated via a Domain Generation Algorithm (DGA). This malicious code fetched remote scripts that could load additional modules for ad substitution and malvertising. Victims experienced fake repair alerts redirecting them to affiliate programs, and there were attempts to harvest user credentials during login. The injected components were designed to enumerate common banner sizes for substitution purposes, replace legitimate third-party ad calls, and hijack user traffic towards affiliate landing pages. This incident raised significant concerns regarding user-level code execution in the browser context, extensive ad fraud, traffic redirection, and potential exposure to further malicious payloads.

Affected Version(s)

Web Developer for Chrome 0.4.9

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2017-20202 - Proof of Concept