On Wed, Mar 29, 2017 at 7:19 PM, Amal Hussein <ahus...@cainc.com
> If I can detect the currently installed flash version via
> navigator.plugins, is there a way to dynamically interpret that the version
> is too low in for the current FireFox browser version?
> If not, and we have to maintain some elaborate lookup table, matching
> browser versions to minimum supported flash versions, is the information of
> what the minimum versions are for FF, available anywhere in the community?
> If not, can that initiative be started here, since it would benefit from
> crowd sourcing?
> Lastly, if we go the option of always requiring our users to be on one of
> the last 2 major version of flash (current 24, and 23), would that criteria
> be conservative enough?
Let me explain the Firefox behavior as a way of answering the questions.
Firefox asks the Mozilla blocklist servers frequently for a list of plugin
versions which are known to be vulnerable. This is not tied to the specific
Firefox version running.
When Firefox detects that the currently installed version of Flash is known
to be vulnerable, it stops activating that version by default. Instead, any
attempt to use Flash will show UI to the user which looks like this:
Users then have the opportunity to update or to choose to activate Flash
anyway for that site.
Mozilla deploys Flash blocks on the following schedule:
- If there are known active Flash exploits in the wild, we deploy the
- If a regularly scheduled Flash update (on patch Tuesday) fixes
security holes, we deploy the Flash blocklist update on the following
Monday. This gives most clients the ability to auto-update during the week.
So to get back to your particular questions:
It is not possible to detect whether Flash is considered out of date using
You can't build a lookup table of Flash versions and Firefox versions,
because that all happens via the dynamic blocklist.
It is not sufficient to require the latest two versions. Usually every
monthly update of Flash fixes security vulnerabilities, and so users need
to stay completely up to date.
Also be aware that starting later this year, Flash will be marked as
click-to-activate by default for all users. This doesn't show the red
button or no-enter sign, but it will look like this:
So you should make sure that your website works properly when Flash is in
click-to-activate mode, both for current users who have insecure versions
and for future defaults. You can change that today in the Firefox addon