Security News > 2020 > January > Mozilla bans Firefox extensions for executing remote code
The nature of the banned extensions is difficult to say - Mozilla lists them on Bugzilla using only the IDs they used on addons.
The hard ban on extensions that execute remote code seems to have happened around the time pre-release versions of Firefox 72 hove into view, but this was only noticed by some developers and users when the company abruptly banned several page translation extensions in November.
That implies that, prior to November, extensions loading such code could operate with more freedom, specifically those that were being self-hosted as unlisted extensions rather than served via the AMO. That doesn't mean that every extension loading remote code in the past was doing so for malicious reasons, but it underlines how Mozilla is having to tighten controls in the face of growing abuse.
Last year it slapped a ban on extensions using obfuscated code, such as JavaScript code where the purpose or intention is in some way hidden.
As Mozilla points out, many extensions aren't written by well-known developers, so a deeper dive might be necessary.
News URL
Related news
- Mozilla Updates Firefox Terms Again After Backlash Over Broad Data License Language (source)
- Mozilla Revises Firefox Terms of Use After Inflaming Users Over Data Usage (source)
- Mozilla warns users to update Firefox before certificate expires (source)
- Mozilla warns Windows users of critical Firefox sandbox escape flaw (source)
- Mozilla Patches Critical Firefox Bug Similar to Chrome’s Recent Zero-Day Vulnerability (source)