Browser Plugins

Back to Main

Your Browser Plugins

Loading...

From navigator.plugins property

1. Technical Classification

Browser API Legacy Technology NPAPI Plugins Deprecated

The navigator.plugins property returns a list of plugins installed in the browser. In the past, this revealed installed software like Flash Player, Java, Silverlight, and PDF viewers. However:

Mostly Obsolete

Browser plugins (NPAPI) have been deprecated and removed from all modern browsers. Most browsers now return an empty plugins list or fake data. This page documents historical context and why it was a privacy concern.

2. Background & Purpose

Browser plugins (NPAPI - Netscape Plugin API) were introduced in the mid-1990s to extend browser capabilities beyond basic HTML. They allowed third-party software to run inside web pages.

Famous Plugins from the Past

Adobe Flash Player (1996-2020)

Purpose: Animations, games, video playback, interactive content

Peak popularity: Installed on 90%+ of computers in the 2000s

Sunset: Adobe ended support December 31, 2020

Why it died: Security vulnerabilities, poor mobile support, replaced by HTML5

Java Applets (1995-2017)

Purpose: Run Java applications in the browser

Use cases: Banking websites, enterprise apps, educational software

Why it died: Constant security patches, slow performance, replaced by JavaScript

Microsoft Silverlight (2007-2021)

Purpose: Rich Internet Applications, video streaming (Netflix used it)

Why it died: HTML5 video made it obsolete

Adobe PDF Reader Plugin

Purpose: View PDFs directly in browser

Status: Replaced by native browser PDF viewers

Why Plugins Were Removed

  1. Security risks: Plugins were #1 source of browser exploits
  2. Performance: Slowed down browsers, caused crashes
  3. Mobile incompatibility: Never worked on iOS/Android
  4. Privacy concerns: Enabled fingerprinting and tracking
  5. Web standards: HTML5, CSS3, WebAssembly replaced plugin functionality

Timeline of Plugin Removal

Year Event
2015 Chrome disables NPAPI plugins by default
2016 Chrome removes NPAPI support entirely (except Flash)
2017 Firefox 52 removes all plugins except Flash
2020 All browsers remove Flash support
2021 navigator.plugins effectively deprecated

3. What navigator.plugins Returns Today

Modern Browsers (2024)

Chrome, Edge, Opera (Chromium-based)

Typical result: navigator.plugins.length = 5

Fake plugins reported:

  • Chrome PDF Plugin
  • Chrome PDF Viewer
  • Native Client

Note: These aren't real NPAPI plugins—they're built-in features reported for backward compatibility

Firefox

Typical result: navigator.plugins.length = 0

Privacy mode: Always returns empty array in privacy-focused configurations

Safari

Typical result: navigator.plugins.length = 0-2

May include: Built-in PDF viewer

Historical Plugin Enumeration (Pre-2015)

In the old days, navigator.plugins would reveal every installed plugin:

// Example from Firefox circa 2010 navigator.plugins[0].name = "Shockwave Flash" navigator.plugins[1].name = "Java Deployment Toolkit" navigator.plugins[2].name = "Adobe Acrobat" navigator.plugins[3].name = "QuickTime Plug-in" navigator.plugins[4].name = "Windows Media Player" // ... potentially dozens more

4. Historical Legitimate Uses

1. Flash Detection (Obsolete)

Use case: Check if Flash was installed before loading Flash content

// Historical code (no longer relevant) function hasFlash() { const plugins = navigator.plugins; for (let i = 0; i < plugins.length; i++) { if (plugins[i].name.indexOf('Flash') !== -1) { return true; } } return false; }

2. PDF Viewer Detection (Obsolete)

Use case: Determine if browser could display PDFs

Modern approach: All browsers have built-in PDF viewers now

3. Feature Detection (Obsolete)

Use case: Check for Java, Silverlight, or other plugin support

Modern approach: Use HTML5 APIs and progressive enhancement

Why These Uses Are Obsolete

5. Browser & Platform Differences

Current Browser Behavior (2024)

Browser navigator.plugins.length Behavior
Chrome 5 (fake) Reports built-in features as "plugins" for compatibility
Firefox 0 Returns empty array
Safari 0-2 May report PDF viewer
Edge 5 (fake) Same as Chrome (Chromium-based)
Mobile Browsers 0 Never supported plugins

Why Mobile Never Had Plugins

Steve Jobs famously blocked Flash from iOS in 2010, citing:

Jobs Was Right

Apple's decision to block Flash accelerated the shift to HTML5. Within 10 years, Flash was completely dead.

6. Privacy Implications & Tracking Risks

Privacy Risk: HIGH (Historically)

Plugin fingerprinting was one of the most powerful tracking techniques before plugins were deprecated. Today, it's mostly irrelevant.

Why Plugin Detection Was a Privacy Nightmare

1. Unique Combinations

Every user had a different set of installed plugins:

// Example historical fingerprint User A: Flash, Java, Acrobat, QuickTime User B: Flash, Silverlight, RealPlayer User C: Flash only // Each combination = unique identifier

With 10+ common plugins, the combinations were nearly infinite, making almost every user uniquely identifiable.

2. Version Numbers

Plugins reported exact version numbers:

  • Flash 11.2.202.310
  • Java 1.7.0_51
  • Reader 10.1.3

Version variations multiplied the uniqueness factor

3. Software Inventory

Plugin enumeration revealed installed software:

  • Professional software (Adobe products = creative professional?)
  • Niche plugins (CAD software, scientific tools) revealed occupation
  • Language-specific plugins revealed geographic location

Real-World Tracking Example (Historical)

Here's how plugin fingerprinting worked:

  1. User visits Site A with plugins: Flash 11.5, Java 1.6, Acrobat 9
  2. This combination found in only 0.1% of users
  3. Tracker assigns fingerprint: "FJ6A9"
  4. User visits Site B (different tracker, shares data)
  5. Same plugin combo detected → identified as same user
  6. Tracker builds profile across both sites

Modern Status: Mostly Fixed

Plugin fingerprinting is largely dead because:

Victory for Privacy

The death of browser plugins is one of the biggest privacy improvements in web history. Removing plugins eliminated a massive fingerprinting vector.

7. How to Control Plugin Information

Good News: Nothing to Do

Since real plugins no longer exist, there's nothing to control. However, for completeness:

Historical Advice (Pre-2015)

When plugins were still a thing, privacy-conscious users would:

Modern Privacy-Focused Browsers

Tor Browser

Strategy: Always reports navigator.plugins.length = 0

Effect: No fingerprinting via plugins

Brave Browser

Strategy: Returns fake plugin list (same as Chrome)

Effect: Blends in with Chrome users

Firefox Resist Fingerprinting

Enable: about:configprivacy.resistFingerprinting = true

Effect: Returns empty plugins array

If You Use Old Browser (Don't!)

If you're stuck on an old browser that still supports plugins:

Critical Security Risk

Old browsers with plugin support are vulnerable to malware and exploits. Update immediately!

Modern Replacements for Plugin Functionality

8. Learn More

MDN: navigator.plugins Official documentation (marked as deprecated) Firefox NPAPI Deprecation Mozilla's announcement on removing plugin support Chrome Removes NPAPI Google's explanation for removing plugins Adobe Flash End of Life Official Flash Player sunset announcement Steve Jobs: Thoughts on Flash (2010) Historic letter explaining why iOS blocked Flash BrowserLeaks: Plugin Detection Test what your browser reports for plugins EFF Panopticlick Test your browser's overall fingerprinting resistance Wikipedia: NPAPI History and technical details of Netscape Plugin API