Discussion:
Is there a way to detect the minimum version of flash required so we preemptively know when our flash content will blocked?
Amal Hussein
2017-03-29 23:19:13 UTC
Permalink
Context:

Since on FireFox we rely on the version flash installed on a users machine, there are cases when FF blocks flash content because the version does not meet the minimum version threshold.


We currently support FireFox versions v45+, and I currently do not see a way of being able to systematically detect if the flash version installed meets the minimum requirements or not.

Questions:

If I can detect the currently installed flash version via navigator.plugins, is there a way to dynamically interpret that the version is too low in for the current FireFox browser version?

If not, and we have to maintain some elaborate lookup table, matching browser versions to minimum supported flash versions, is the information of what the minimum versions are for FF, available anywhere in the community? If not, can that initiative be started here, since it would benefit from crowd sourcing?

Lastly, if we go the option of always requiring our users to be on one of the last 2 major version of flash (current 24, and 23), would that criteria be conservative enough?


Thanks so much,
Amal
Chris Peterson
2017-03-30 02:52:50 UTC
Permalink
Post by Amal Hussein
If I can detect the currently installed flash version via navigator.plugins, is there a way to dynamically interpret that the version is too low in for the current FireFox browser version?
Does a blocked version of Flash still show up in navigator.plugins?
Post by Amal Hussein
If not, and we have to maintain some elaborate lookup table, matching browser versions to minimum supported flash versions, is the information of what the minimum versions are for FF, available anywhere in the community? If not, can that initiative be started here, since it would benefit from crowd sourcing?
The blocked Flash versions are updated dynamically and thus are not
linked 1:1 with a Firefox version. (I don't know where the list of
blocked Flash versions are served from.)
Benjamin Smedberg
2017-04-03 18:30:49 UTC
Permalink
Post by Amal Hussein
If I can detect the currently installed flash version via
navigator.plugins, is there a way to dynamically interpret that the version
is too low in for the current FireFox browser version?
If not, and we have to maintain some elaborate lookup table, matching
browser versions to minimum supported flash versions, is the information of
what the minimum versions are for FF, available anywhere in the community?
If not, can that initiative be started here, since it would benefit from
crowd sourcing?
Lastly, if we go the option of always requiring our users to be on one of
the last 2 major version of flash (current 24, and 23), would that criteria
be conservative enough?
Let me explain the Firefox behavior as a way of answering the questions.

Firefox asks the Mozilla blocklist servers frequently for a list of plugin
versions which are known to be vulnerable. This is not tied to the specific
Firefox version running.

When Firefox detects that the currently installed version of Flash is known
to be vulnerable, it stops activating that version by default. Instead, any
attempt to use Flash will show UI to the user which looks like this:
Loading Image...

Users then have the opportunity to update or to choose to activate Flash
anyway for that site.

Mozilla deploys Flash blocks on the following schedule:

- If there are known active Flash exploits in the wild, we deploy the
block immediately
- If a regularly scheduled Flash update (on patch Tuesday) fixes
security holes, we deploy the Flash blocklist update on the following
Monday. This gives most clients the ability to auto-update during the week.


So to get back to your particular questions:

It is not possible to detect whether Flash is considered out of date using
navigator.plugins
You can't build a lookup table of Flash versions and Firefox versions,
because that all happens via the dynamic blocklist.
It is not sufficient to require the latest two versions. Usually every
monthly update of Flash fixes security vulnerabilities, and so users need
to stay completely up to date.

Also be aware that starting later this year, Flash will be marked as
click-to-activate by default for all users. This doesn't show the red
button or no-enter sign, but it will look like this:
Loading Image...

So you should make sure that your website works properly when Flash is in
click-to-activate mode, both for current users who have insecure versions
and for future defaults. You can change that today in the Firefox addon
manager.

--BDS

Loading...