BitDefender TrafficLight extension redundant? Or just a bad interaction

I was helping a student working in our office do some documentation for users who think that a URL is OK and should be unblocked (I work at a large technical university in the US).

Step 1 in the process is to have the requester go to VirusTota (and there is guidance for vetting the URL Scanners reported if any show the URL as Malicious, or Malware)
If they still think it is clean, Step 2 is to take the Quttera link off of VirusTotal’s “Additional Information” tab.

The student doing the documentation asked me for an example of something that might be suspicious, without being clearly clean, or clearly bad.

So I went to webinspector.com and looked at “Recent Detections” and found one that was “Suspicious”.

In my pretty locked down VM, I had done screenshots of installing Comodo’s hardened Firefox and Chrome browsers, and had pointed users to the DrWeb and BitDefender link scanner extensions. I had added DrWeb (and took the defaults), and BitDefender TrafficLight to Dragon, and IceDragon. And I visited the site that I had picked on www.webinspector.com. TrafficLight gave me the warning “Attention Malware”, with a big “Take Me Back to Safety” button and a smaller “I know what I am doing” link.

But McAfee endpoint protection, on-access scan popped up, with a file in the browser cache being identified as JS/Exploit-Blacole.ht (description at Advanced Research Center | Trellix which shows detection by DrWeb as JS.Redirector.145 ) So something (bad) was actually downloaded. Interestingly, I get the same results with IceDragon, only the URL is "chrome://trafficlight/content/alerts/malware/page_blocked.

It is obfuscated javascript. I got the code from a Quttera scan of the website.

So my questions are 2-fold. Do Dragon (or IceDragon) do everything in a sandbox anyway (even javascript?) and so having users add extensions like DrWeb and BitDefender TraficLight just unnecessarily slow down the user. Or, is there a bad or an expected interaction where extensions like DrWeb and BitDefender TraficLight actually analyze the code in a safe context inside the browser, and so the “get me out of here” is sensational, but they really connect, and save any files that the website has them save for analysis, and that endpoint anti-malware might detect the file when it is saved.

Or are there actual risks that the browser process might be injected, or spawn another process, and things like this will really infect a system with Blackhole?

Thanks,

Jim