bugzilla.mozilla.org has resumed normal operation. Attachments prior to 2014 will be unavailable for a few days. This is tracked in Bug 1475801.
Please report any other irregularities here.

How to handle scenarios when all versions of a plugin is vulnerable

NEW
Unassigned

Status

Plugin Check
UI
3 years ago
6 months ago

People

(Reporter: espressive, Unassigned)

Tracking

Details

(Reporter)

Description

3 years ago
We need to define a method to handle the scenario when all versions of a plugin is vulnerable, like the case with Adobe Flash player.

I propose that we have a default message in the template that is wrapped and translated where we only need to update the product/plugin in question.

We can then show this when we detect in the code that there are no latest version for a specific plugin, for example:

if (knownVersions.latest.length === 0) {
  showWarning(plugin.name);
}

That will ensure the message is translated and standard and, remove the need to open pull requests and do pushes to production to add or remove these.

Any thoughts or suggestions regarding this are encouraged and very welcome. Thanks!
(Reporter)

Updated

3 years ago
Flags: needinfo?(jon)
Flags: needinfo?(jmize)
Flags: needinfo?(francesco.lodolo)
Flags: needinfo?(agibson)
(Reporter)

Updated

3 years ago
Assignee: nobody → schalk.neethling.bugs
No longer depends on: 1183598
This sounds like a good plan to me. Another option could be to class a plugin as critically "Unsafe" in the regular list, and then display a big bold generic warning, defining what this means at the top of the page (suggesting to the user to disable it).
Flags: needinfo?(agibson)
My only thought is that a message displayed near the searchplugin would solve a lot of potential issues with l10n (no need to have the plugin name in the sentence).
Flags: needinfo?(francesco.lodolo)

Comment 3

3 years ago
I definitely agree that we need an automated solution - something that doesn't require PRs. It might be nice to do a combination:

- Flag plugins with no "latest" version in the "Potentially Vulnerable" list as :espressive mentioned. This flag could replace the "Update Now" button with a link to a more complete explanation of the situation, such as the latest notice from Adobe (https://helpx.adobe.com/security/products/flash-player/apsa15-04.html) or a link to SUMO with further instructions.

- If any plugins are flagged as only vulnerable, show a generic message up top that says something to the effect of "One or more of your plugins is vulnerable and currently has no fix. Please follow the 'Read more' links below for further instructions."

One issue we noticed last night is that neither button (Update Now/Up to Date) is helpful in these edge cases. Technically users *are* up to date with Flash, but in no way should we be showing a green thumbs up. On the other hand, there is no fix, so a button prompting the user to "Update Now" is misleading as well.
Flags: needinfo?(jon)

Comment 4

3 years ago
When coming up with the generic messaging we should consider the strong possibility that the user was sent to the plugincheck page because the plugin was added to the blocklist, as was the case yesterday, so we can ensure consistent messaging. We may want to link to https://support.mozilla.org/kb/add-ons-cause-issues-are-on-blocklist in this case.
Flags: needinfo?(jmize)
(Reporter)

Comment 5

3 years ago
Good point, thanks Josh
(Reporter)

Updated

3 years ago
Duplicate of this bug: 1130559
(Reporter)

Updated

a year ago
Assignee: schalk.neethling.bugs → nobody
You need to log in before you can comment on or make changes to this bug.