[BHSPitMonkey]

If there is some permutation of JavaScript statements (library or otherwise) that displays a security vulnerability for the user, isn't that the browser's fault and not the application's? And isn't library detection just a hacky substitute for an actual fix of said fault?

[AgentME]

It's not the browser's fault if an extension has a vulnerability which gives away the capabilities the extension was given. It would be the browser's fault if the extension had a vulnerability which somehow managed to give away more permissions than the extension was given in the first place.

In this specific case, Angular runs eval-like functions on HTML in the DOM. The DOM can be controlled by the webpage. If Angular is running in a higher-privilege extension, then the webpage can put code in the DOM and let Angular execute it from within the extension. This seems to be a fundamental part of Angular 1.x's design. It just isn't built for this use case.

[BHSPitMonkey]

That makes sense, thanks.

[Jare]

The extension has access to certain information provided by the user and the browser. Due to a vulnerability, that information is no longer secure, and may be used in ways that the user of the extension does not expect nor has approved. The platform holder treats vulnerable extensions as if they were effectively malware, and bans them.

Hard to go deeper without further information, but it makes sense to me.