[vladimir-y]

Correct, now it should be clear for all that Angular v1 is dangerous thing by design and it should not be used at all. Most likely a lot of not very experienced developers do for example $watch on value provided by the user input and that's a 100% XSS vulnerability since $watch does evaluate value if that was a string. And $watch is just a one example, there is a list of methods that do expressions evaluation.

[bzbarsky]

Note that in the context of a browser extension an "XSS vulnerability" means "a web page just got to run code with the extension's privileges"....

[Disclaimer: I work for Mozilla.]

[vladimir-y]

I guess extension's privileges means more privileges than a regular web page has (accessing file system for example?), if so then it's even more dramatic.

[bzbarsky]

Right. Extensions have more privileges than normal web pages.

For the specific case here (webextensions), the extension asks for a list of permissions at install time, so which privileges it has, exactly, depends on the extension. https://developer.chrome.com/extensions/declare_permissions has documentation on what the various permissions you can request are.

[codedokode]

You are making wrong conslusions.

> Angular v1 is dangerous thing by design

It is not dangerous. The vulnerability appears when incompetent developer injects Angular into a web page from a browser extension in Firefox (I don't know whether it would work in other browsers because they have other extension architecture).