What impact does an installed extension have on the browser fingerprint (uniqueness)?
There are no explicit APIs to enumerate the browser extensions. But this does not mean they are not detectable or that they cannot be included in the fingerprint even if the specific extension is not detected.
Browser extensions usually serve a purpose and this purpose can cause side effects, like manipulating the DOM (remove ads, change visual representation, enrich content with more additional information ...) or change the timing of operations. These side effects can be measured and can be included in the browser fingerprint. This can be done even if the specific extension is not known, i.e even the effect of private extensions can be included in the fingerprint.
Apart from that it might be possible to detect the existence of specific extension by probing their internal resources, see How to Detect Browser Extensions for details.
While there's never been a list of installed extensions available to the site's code, years ago the browser provided an inerrable list of "plugins" called navigator.plugins
. These aren't exactly the same as extensions as it's an older technology (eg. shockwave, quicktime, pdf), but some extensions added plugins to the list, and people often confuse the two.
At any rate, these lists have been decimated and are no longer useful to tell what's installed; they just list a few built-in common ones like Native Client and PDF handlers. The same with navigator.mimeTypes
, which could reveal installed applications, outside the browser, like Word. These changes were made explicitly to provide privacy and reduce fingerprinting surfaces.
In short, there's nothing inherently revealing about an extension these days, other than possible side-effects (eg. ads don't load) and artifacts (eg. shortcut icons on form fields).