Extension Block Request: Multiple ad blockers
Categories
(Toolkit :: Blocklist Policy Requests, task)
Tracking
()
People
(Reporter: contact, Assigned: Fallen)
Details
Extension name | Multiple ad blockers |
Extension versions affected | <all versions> |
Platforms affected | <all platforms> |
Block severity | soft |
Reason
There was a vulnerability in Adblock Plus and uBlock that recently got fixed (CVE-2019-11593 and CVE-2019-11595), see this post for details: hxxps://armin.dev/blog/2019/04/adblock-plus-code-injection/
Please consider blocklisting certain Adblock Plus and uBlock versions.
These are the vulnerable version ranges:
Adblock Plus >=3.2,<3.5.2
uBlock >=0.9.5.11,<0.9.5.15
For Adblock Plus 3.5.1 and uBlock 0.9.5.14 it may be better to wait a bit before blacklisting since the mitigation was released only about a week ago, but the rest of the versions had plenty of time to update and they still have a substantial amount of users.
Here's a list of Adblock Plus versions with user counts as of 2019.04.28, and the dates at which they became outdated due to a new release on AMO.
3.5.1 316686 2019.04.20
3.5 83560 2019.04.04
3.4.3 65091 2019.03.13
3.4.2 31664 2019.01.23
3.4.1 8944 2018.12.03
3.4 6030 2018.11.14
3.3.1 20020 2018.10.31
3.2 8964 2018.08.28
https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/versions/
https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/statistics/usage/versions/?last=30
There are about 220k users running Adblock Plus versions that became outdated about a month ago or more, and 75k users of versions that became outdated more than 3 months ago.
Filter lists receive the extension version as part of the periodic filter list update request, so it's easy for a malicious filter list maintainer to deliver payloads only to vulnerable devices, and the vulnerability was widely reported.
Extension IDs
{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
{2b10c1c8-a11f-4bad-fe9c-1c11e82cac42}
Comment 1•5 years ago
|
||
Thank you for the report.
Philipp and I agreed to start blocking old versions next week.
Updated•5 years ago
|
Assignee | ||
Comment 3•5 years ago
|
||
I'm blocking the following versions:
{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
(Adblock Plus, versions 3.2 - 3.5.1)
{2b10c1c8-a11f-4bad-fe9c-1c11e82cac42}
(µBlock, versions 0.9.5.11 - 0.9.5.14)
jid1-NIfFY2CA8fy1tg@jetpack
(Adblock for Firefox, versions 3.19.0 - 3.28.0)
Assignee | ||
Comment 4•5 years ago
|
||
The block has been staged. Stuart, can you review and push? Please take a careful look at the version ranges here.
Comment 5•5 years ago
|
||
Approved and pushed
Updated•5 years ago
|
Description
•