Users complaining on the Lenovo forums describe how the software would inject advertisements into their system that were more akin to what the industry would call a PUP, short for "potentially unwanted program."
Perhaps most troubling is the allegation that the software can present users with a fake certificate instead of one belonging to a legitimate site they're trying to visit, that way Superfish can serve advertisements.
"If this software or any of its control infrastructure is compromised, an attacker would have complete and unrestricted access to affected customers banking sites, personal data and private messages," security researcher Marc Rogers wrote on his blog.
Daniel Assouline, CEO at software company Lavasoft, told ABC News "the problem with Superfish isn't the problem of what they do, it's how they do it."
Superfish CEO Adi Pinhas told ABC News in a statement that his company "is completely transparent in what our software does and at no time were consumers vulnerable -- we stand by this today."
He added that Superfish stands by a statement Lenovo released making it clear that users are "not tracked nor re-targeted" and "every session is independent" when using Superfish.
Lenovo also said "the relationship with Superfish is not financially significant; our goal was to enhance the experience for users. We recognize that the software did not meet that goal and have acted quickly and decisively."
The company also released a guide for users on how to determine if they have Superfish software and how to remove it from their devices.