The bitwarden team found out the hard way that the technology they built their Firefox extension upon — Angular 1.5.8 — was banned.
In a bug report, the team says they wanted to bring their extension to Firefox (it's been available in Chrome), but the add-on linter rejected their extension because of the presence of Angular 1.5.8. They were using a specific version, but it turns out every version of Angular 1.X is banned from use in Firefox extensions.
This was not necessarily a vulnerability with Angular, but more about the way Angular 1.X and other libraries interact with the Firefox extension system and the page loaded in the browser. Martin Probst on the Angular team described the problem:
Angular itself is fine, and there's no problem with escaping or eval'ing per se.
However there is a corner condition in which Angular being present in an extension might weaken some security measures. It requires multiple issues to happen together, including the victim page being vulnerable in the first place. I'm actually not sure if that is the issue that Mozilla was thinking about, but it is a problem. We will put some defense in depth into Angular to mitigate this, but I believe it's a general issue with how extensions are handled, not limited to Angular.
Complicating the issue is that while Firefox knew about the Angular ban, they didn't share it with Google. Andreas Wagner from Mozilla says this was on purpose:
Unfortunately, we were not able to report them to Angular as the security researcher who found them asked us to not share them.
It's not clear why the researcher didn't also contact the Angular team directly.
This caused some teeth gnashing in the community, but the unknown researcher in question and Google have now been in contact and a fix is in the works. Much of the discussion pointed to a feature in Angular 1.X called the Expression Sandbox. Google has already decided to remove the Expression Sandbox in version 1.6. But Probst says the sandbox is not the cause of the ban:
- We understand the underlying concern better now after talking to the researcher.
- The issue is unrelated to sandbox bypasses.
- There is a (not super high priority) security issue. It's not really specific to Angular, but Angular makes it easier to exploit.
- We believe the problem can be mitigated between Angular and Firefox. I'm working on a fix.
Until the fix is in, developers will be unable to ship a Firefox extension with Angular 1.X involved.