The "The Attack: How it works" section explains how it works. It's not an API.

I am a little surprised something like CORS doesn't apply to it, though.

> Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions.

It's not clear though, either they only tested against chrome-based browsers or Firefox isn't enabling them to do so.

edit: I answered before I go fully through the article but it does say it's only Chrome based.

> The extension scan runs only in Chrome-based browsers. The isUserAgentChrome() function checks for “Chrome” in the user agent string. The isBrowser() function excludes server-side rendering environments. If either check fails, the scan does not execute.

> This means every user visiting LinkedIn with Chrome, Edge, Brave, Opera, Arc, or any other Chromium-based browser is subject to the scan.

I was under the impression Firefox randomises extension IDs on install, so hopefully not?

The answer to "why would Chrome ever undermine privacy and security?" is always "Google's revenue stream".

I'm happy to see that this doesn't hit firefox. I wonder if safari is impacted.

they seem to be calling `chrome-extension://.....` so i don't think it applies to firefox