Malicious websites can exploit browser extension APIs to execute code inside the browser and steal sensitive information such as bookmarks, browsing history, and even user cookies.
The latter, an attacker can use to hijack a user's active login sessions and access sensitive accounts, such as email inboxes, social media profiles, or work-related accounts.

The link for this article located at ZDNet is no longer available.