Google Security researcher Tavis Orlandy filed a bug report on December 15 and send the following e-mail to AVG:
“I’m really not thrilled about this trash being installed for Chrome users. The extension is so badly broken that I’m not sure whether I should be reporting it to you as a vulnerability, or asking the extension abuse team to investigate if it’s a PuP [potentially unwanted program].AVG released a broken patch on December 19, which got rejected by Google. At the moment, Google is evaluating a revised patch, and reviewing the extension to determine if AVG will be allowed to offer it at all. It's a quite sad incident, especially because AVG's free anti-virus solution is one of the best in the world.
Nevertheless, my concern is that your security software is disabling web security for 9 million Chrome users, apparently so that you can hijack search settings and the new tab page.
There are multiple obvious attacks possible, for example, here is a trivial universal xss in the ‘navigate’ API that can allow any website to execute script in the context of any other domain.” (The relevant code samples can be viewed at the initial bug report.)
Full details ExtremeTech.