LinkedIn Scans Every Visitor's Browser for 6,000 Extensions. Your Sales Stack Is on the List.
By Notice Me Senpai Editorial
Every B2B marketer I know treats LinkedIn as infrastructure. It's where you run account-based campaigns, where your sales team does prospecting, where half the industry's recruiting happens. It is also, apparently, where hidden JavaScript scans your browser for over 6,000 extensions every time you load the page, then sends the results to LinkedIn's servers and at least one third-party cybersecurity firm.
That last part is new. An investigation published by BrowserGate this week documented the scanning system in forensic detail, including the specific code modules responsible, the full extension target list, and the types of data being collected. LinkedIn and Microsoft haven't responded to the allegations. For anyone spending B2B ad budget on the platform or using it as a sales channel, this creates a problem that goes well beyond the usual privacy discourse.
The scanning is more sophisticated than you'd expect
The technical details are specific enough to be unsettling. LinkedIn loads a 2.7 MB JavaScript bundle containing a hardcoded list of 6,167 Chrome extension IDs. On every page load, the system fires approximately 6,222 simultaneous fetch requests to chrome-extension:// URLs using Promise.allSettled(). If a request comes back fulfilled instead of rejected, LinkedIn knows that extension is installed on your browser.
There's a secondary system running alongside it. A passive DOM scanner recursively searches the entire page for chrome-extension:// strings inside text nodes and element attributes. This catches extensions that inject content into pages, even if they're not on the hardcoded list.
The scan list grew from roughly 461 products in 2024 to over 6,000 by February 2026. That's about 12 new extensions added per day. The growth rate alone tells you this isn't a side project or a legacy security check someone forgot to remove. It's actively maintained and expanding.
The scanning runs during browser idle periods using requestIdleCallback, which makes it harder to spot in performance monitoring tools. Payloads are RSA-encrypted before transmission, rendering them unreadable even if you intercept them in developer tools. And the whole thing executes without any consent dialog, toggle, or checkbox. LinkedIn's privacy policy doesn't mention extension scanning, according to the BrowserGate analysis.
The extension categories are the uncomfortable part
If this were just scanning for ad blockers, it would be a different conversation. But the investigation documented what's actually on the list, and it's broader than most people would guess.
509 job search tools, covering roughly 1.4 million users. LinkedIn can identify which of its users are actively looking for new jobs. If you're an employer advertising on LinkedIn, that's information about your own employees that the platform has and you don't.
Over 200 competing sales intelligence tools: Apollo, Lusha, ZoomInfo, and others. If your sales team uses any of these alongside LinkedIn Sales Navigator, the platform now knows exactly which competitors to its own product your team is evaluating. I don't love the implications of that.
Extensions revealing religious beliefs, political orientations, disability accommodations, and neurodivergent status. The investigation specifically named PordaAI (an Islamic content filter), political-leaning browser extensions, and tools built for neurodivergent users. Under GDPR Article 9, processing data that reveals religious beliefs, political opinions, or health status is outright prohibited without explicit consent.
The competitive intelligence problem that should bother you
Think about the information asymmetry this creates for a minute. You're spending ad budget on LinkedIn. Your sales team uses LinkedIn for prospecting. And the whole time, the platform is quietly cataloging which competing tools your team runs. They know if you're testing Apollo. They know if someone on your team installed a ZoomInfo extension. They know which job search tools your employees use, which means they probably know who is thinking about leaving before you do.
I'm not saying LinkedIn is actively weaponizing this data against individual advertisers. I genuinely don't know if they are, and it would be irresponsible to claim that without evidence. But the data collection itself creates an information advantage that flows entirely in one direction. You give LinkedIn your targeting data, your conversion events, your first-party customer lists. They get all of that, plus a detailed map of your browser extensions. The relationship was never symmetrical. This just makes the gap a lot harder to ignore.
If you've read our piece on how B2B ad algorithms misinterpret your sales cycle data, this is a similar pattern. The platform knows more about your business than you realize, and optimizes for its own objectives with that knowledge.
Legal exposure is real and already in motion
Legal proceedings have been filed against LinkedIn under the EU Digital Markets Act at the Regional Court of Munich. This is separate from the €310 million GDPR fine LinkedIn received in 2024 for ad targeting violations. The extension scanning potentially trips over several additional legal frameworks:
- GDPR Article 9: processing special category data (religion, health, political beliefs) without explicit consent
- The ePrivacy Directive: accessing terminal equipment without consent (Germany's TTDSG §25 carries penalties up to €300,000 per violation)
- German criminal code §202a: unauthorized data access, carrying up to 3 years imprisonment
- California's CCPA/CPRA: undisclosed data collection, up to $7,500 per violation
The GDPR penalty ceiling is 4% of global turnover. For Microsoft, that works out to roughly $11.27 billion. Nobody expects a fine anywhere near that size, obviously. But the DMA proceedings in Munich are the ones worth watching, because the DMA carries structural remedies, not just fines. That could mean changes to how LinkedIn handles targeting data, audience building, and API access. If you're planning significant LinkedIn Ads spend for Q3 or Q4, that regulatory timeline is worth keeping an eye on.
Three things to check before your next standup
There are practical steps worth taking this week, even before the legal situation develops further.
Audit your team's browser extensions. Open chrome://extensions in any Chrome browser your team uses for LinkedIn work. If your salespeople run competitive intelligence tools, those extensions are being cataloged. Consider setting up dedicated browser profiles for LinkedIn that are separate from browsers where your team evaluates competitor tools. It takes about two minutes per person.
Review your LinkedIn Ads data sharing settings. Go to your Campaign Manager account settings and check what conversion tracking, audience sharing, and partner data integrations you have active. Most accounts still run the defaults, which tend to be the maximum sharing option. Worth a look at what you've opted into, possibly without realizing it.
Talk to your sales team about browser hygiene. If you run a team that uses LinkedIn Sales Navigator alongside third-party prospecting tools, have a quick conversation about which browser they use for which purpose. This isn't paranoia. It's basic compartmentalization that most security-conscious teams already practice for other platforms. LinkedIn just gave you a concrete reason to extend that practice.
And if you happen to develop browser extensions yourself, you should know that LinkedIn can identify your users. The BrowserGate investigation documented extensions with install bases as small as a few hundred users appearing on the scan list. That's your customer data being collected without your knowledge or consent.
The trust math just got more complicated
One thing that keeps nagging at me about this story is how predictable it feels in hindsight. LinkedIn is a platform that sells access to professional data. Of course they'd want to know everything possible about the professionals visiting the site. The extension scanning is just the version of that impulse that somebody decided didn't need a consent dialog. Or maybe it went through legal and they said yes. I honestly can't tell which scenario is worse.
The B2B ad market doesn't have many real alternatives to LinkedIn for the type of professional targeting it offers. That hasn't changed, and it probably won't change soon. But knowing exactly how much information flows to the platform, beyond what you voluntarily share, seems like relevant context for anyone deciding how much of their budget belongs there. The targeting works. The audience is there. But the full cost of access just got a lot more visible, and every B2B team should at least understand what they're trading before the next budget review.
