NoScript (and Tor Browser) vulnerable to Mozilla Add-On Code Execution
Per #22966 (moved) it sounds like NoScript is not signed with a developer key (the 'updateKey' feature described here: https://developer.mozilla.org/en-US/Add-ons/Install_Manifests#updateKey )
updateKey allows the extension developer to require updates be signed with a key only they control. Without it, Mozilla can rewrite extensions and effectively get arbitrary code execution via an add-on.
There's a few things at play here.
-
We could disable add-on updating all together to mitigate this in 52.
-
In 59, when the only 'full' add-ons are 'system' add-ons we'll need to figure this out ourselves anywhere. This will probably involve Tor signing Tor Launcher and TorButton with its own system add-on keys. Dev Tools is an open question.
-
In 59, when Web Extensions are around this won't be as big of a concern. Mozilla can't get code execution but could neuter the effect of an add-on or turn it into spyware (assuming we keep extension updating in place). Whether web extensions will support an updateKey mechanism is an open question (they don't now, EFF wants it. Tor might wish to lend support to the argument. If Tor could get another partner repack to join in that would help even more I bet.)