Andy Mckay

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 60 **Description** The issue is related to WebExtensions with appropriate permissions that can attach content scripts to Mozilla sites, such as accounts.firefox.com, and listen to network traffic through the "webRequest" API. This allows for the interception of `username` and an encrypted `password` during login to Firefox Accounts. The issue is limited to the process of user login to the website and the data displayed to the user once logged in. It does not expose synchronization traffic directly. **Recommendations** For versions prior to 60, update to version 60 or later to resolve the issue. As a temporary workaround, consider restricting the use of WebExtensions with the "webRequest" API permission to minimize the risk of exploitation. Avoid using WebExtensions that require sensitive information, such as `username` and `password`, until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 59 **Description** The issue is related to the Find API for WebExtensions in Firefox, which can search some privileged pages, such as "about:debugging", if these pages are open in a tab. This could allow a malicious WebExtension to search for otherwise protected data if a user has it open. The vulnerability may allow a remote attacker to gain unauthorized access to protected information. **Recommendations** For Firefox versions prior to 59, update to version 59 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the Find API for WebExtensions on privileged pages until the update is applied. Restrict access to sensitive information when using WebExtensions to minimize the risk of exploitation.