Closed Bug 1413590 Opened 8 years ago Closed 8 years ago

Bootstrap install function is run even if a sideloaded add-on is not enabled

Tracking

()

Status:

RESOLVED DUPLICATE of bug 1244246

People

(Reporter: mkaply, Unassigned)

Details

Mike Kaply [:mkaply]

Reporter

Description

•

8 years ago

When an add-on is sideloaded, although the user is asked to enable the add-on before it runs, the install() function in the bootstrap.js file is still run even if the add-on is never enabled. This means that a third party add-on can modify Firefox even if it is never actually enabled. So far I've tested adding/changing search engines and it works. Installing an add-on didn't work in my first test, but I haven't tried very hard. I realize this will go away with Firefox 57, but this is still a security issue on the ESR. And sadly, it has been this way for years. I'm wondering if this has been a source of search hijacking for years that we never caught.

Andrew Swan [:aswan]

Updated

•

8 years ago

Status: NEW → RESOLVED

Closed: 8 years ago

Resolution: --- → DUPLICATE

Daniel Veditz [:dveditz] back January 5, 2026

Updated

•

4 years ago

Group: toolkit-core-security → firefox-core-security

Daniel Veditz [:dveditz] back January 5, 2026

Updated

•

3 years ago

Group: firefox-core-security

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Bootstrap install function is run even if a sideloaded add-on is not enabled

Categories

(Toolkit :: Add-ons Manager, enhancement)

Tracking

()

People

(Reporter: mkaply, Unassigned)

References

Details

Crash Data

Security

(public)

User Story

Description

Updated

Updated

Updated