Every time you load a LinkedIn page, a hidden JavaScript script is quietly probing your browser — scanning for over 6,000 Chrome extensions you might have installed, while simultaneously harvesting detailed information about your device. It’s called “BrowserGate,” and a new security report has put LinkedIn under serious scrutiny for practices that most users have no idea are happening.

What the Script Is Actually Doing to Your Browser

According to a report published by Fairlinked e.V. and independently verified by BleepingComputer through their own testing, LinkedIn injects a JavaScript fingerprinting script into every single page load. That script attempts to detect 6,236 specific Chrome extensions installed on your browser by probing file resources tied to individual extension IDs — a well-documented technique for identifying what software a visitor has running in their browser.

But it doesn’t stop at extensions. The same script also collects your CPU core count, available device memory, screen resolution, time zone, language settings, and battery status. These data points, taken together, form what’s known as a browser fingerprint — a unique profile of your device that can be used to identify and track you across sessions. Because LinkedIn accounts are tied to real names, employers, and job titles, this fingerprinting data can be directly linked back to real, identifiable people.

The scale of this scanning has grown rapidly. A GitHub repository documented LinkedIn probing for around 2,000 extensions in 2025. By February of this year, a separate repository logged approximately 3,000. The current count now stands at 6,236 — and it appears to be climbing.

Why Is LinkedIn Scanning Competitors’ Extensions?

A significant portion of the extensions being scanned are sales intelligence and prospecting tools — including products from Apollo, Lusha, and ZoomInfo — all of which compete directly with LinkedIn’s own Sales Navigator product. The Fairlinked report claims LinkedIn is scanning for more than 200 competing products in total. The script also reportedly checks for language and grammar tools, tax professional software, and other categories with no obvious relevance to LinkedIn’s platform or anti-scraping efforts.

That breadth raises uncomfortable questions. If the purpose were purely to detect scraping tools, why scan grammar extensions? Why catalogue hardware specs? Critics argue the scope of data collection goes well beyond what any legitimate security justification would require.

LinkedIn’s Explanation — and Why Not Everyone Is Convinced

LinkedIn told BleepingComputer that the scanning is a protective measure — specifically designed to identify browser extensions that scrape member data without consent and violate its terms of service.

“To protect the privacy of our members, their data, and to ensure site stability, we do look for extensions that scrape data without members’ consent.”

— LinkedIn spokesperson, via BleepingComputer

The company also stated it does not use the collected data to infer sensitive information about users. LinkedIn further noted that the Fairlinked report was authored by someone whose account had been restricted for scraping — a person linked to a browser extension called “Teamfluence” that LinkedIn says broke its platform rules. A German court rejected that individual’s request for a preliminary injunction against LinkedIn, ruling the platform was within its rights to block accounts engaged in automated data collection.

Whether LinkedIn’s explanation fully accounts for scanning 6,000-plus extensions — including hundreds of competitor tools and categories entirely unrelated to scraping — is a question that privacy advocates are unlikely to let drop.

LinkedIn Isn’t the First — But the Scale Here Is Different

Aggressive client-side fingerprinting by major platforms isn’t new. In 2021, eBay was found to be running JavaScript that performed automated port scans on visitors’ devices to detect remote access software. The same script later turned up on websites run by Citibank, TD Bank, and Equifax — raising industry-wide concerns about the normalisation of invasive browser surveillance by large corporations.

LinkedIn’s situation carries its own distinct weight, though. This is a platform that holds professionally sensitive data about hundreds of millions of people — their employers, career histories, and real identities. The combination of detailed device fingerprinting with that level of personal and professional data creates a surveillance profile that goes far beyond what most users would consider acceptable or expected.

What You Can Do About It

For users concerned about this kind of tracking, a few practical steps can help. Using a privacy-focused browser or enabling strict tracking protection can limit what scripts like this are able to access. Browser extensions specifically designed to block fingerprinting — ironically — can reduce the data LinkedIn’s script is able to collect. Keeping your extension list minimal also reduces the amount of information the scan can reveal about your setup.

Whether regulatory bodies in Europe or elsewhere will take a closer look at LinkedIn’s practices in the wake of this report remains to be seen. But for now, the next time you scroll through your LinkedIn feed, something is quietly scrolling through you right back.