Closed Bug 1183600 Opened 9 years ago Closed 2 years ago

How to handle scenarios when all versions of a plugin is vulnerable

Categories

(Plugin Check Graveyard :: UI, defect)

Product:
Plugin Check Graveyard
Component:
UI
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: espressive, Unassigned)

References

Details

We need to define a method to handle the scenario when all versions of a plugin is vulnerable, like the case with Adobe Flash player.

I propose that we have a default message in the template that is wrapped and translated where we only need to update the product/plugin in question.

We can then show this when we detect in the code that there are no latest version for a specific plugin, for example:

if (knownVersions.latest.length === 0) {
  showWarning(plugin.name);
}

That will ensure the message is translated and standard and, remove the need to open pull requests and do pushes to production to add or remove these.

Any thoughts or suggestions regarding this are encouraged and very welcome. Thanks!
Flags: needinfo?(jon)
Flags: needinfo?(jmize)
Flags: needinfo?(francesco.lodolo)
Flags: needinfo?(agibson)
Assignee: nobody → schalk.neethling.bugs
No longer depends on: 1183598
This sounds like a good plan to me. Another option could be to class a plugin as critically "Unsafe" in the regular list, and then display a big bold generic warning, defining what this means at the top of the page (suggesting to the user to disable it).
Flags: needinfo?(agibson)
My only thought is that a message displayed near the searchplugin would solve a lot of potential issues with l10n (no need to have the plugin name in the sentence).
Flags: needinfo?(francesco.lodolo)
I definitely agree that we need an automated solution - something that doesn't require PRs. It might be nice to do a combination:

- Flag plugins with no "latest" version in the "Potentially Vulnerable" list as :espressive mentioned. This flag could replace the "Update Now" button with a link to a more complete explanation of the situation, such as the latest notice from Adobe (https://helpx.adobe.com/security/products/flash-player/apsa15-04.html) or a link to SUMO with further instructions.

- If any plugins are flagged as only vulnerable, show a generic message up top that says something to the effect of "One or more of your plugins is vulnerable and currently has no fix. Please follow the 'Read more' links below for further instructions."

One issue we noticed last night is that neither button (Update Now/Up to Date) is helpful in these edge cases. Technically users *are* up to date with Flash, but in no way should we be showing a green thumbs up. On the other hand, there is no fix, so a button prompting the user to "Update Now" is misleading as well.
Flags: needinfo?(jon)
When coming up with the generic messaging we should consider the strong possibility that the user was sent to the plugincheck page because the plugin was added to the blocklist, as was the case yesterday, so we can ensure consistent messaging. We may want to link to https://support.mozilla.org/kb/add-ons-cause-issues-are-on-blocklist in this case.
Flags: needinfo?(jmize)
Good point, thanks Josh
Assignee: schalk.neethling.bugs → nobody

PluginCheck is no longer supported

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.