VLC Web Plugin 2.1.3.0 does not check security of called applications.
Per bug #12686 (closed), browsers mark the VLC web plugin as insecure. This is reasonable, as the plugin can call known-insecure dependencies without checking.
I have updated the mozilla bug report ( https://bugzilla.mozilla.org/show_bug.cgi?id=1089012 ) as follows:
"Seems to me that this is a VLC issue, and the plugin should not be removed from plugincheck until they fix their plugin so that it is not exploitable as an attack vector.
They state (https://forum.videolan.org/viewtopic.php?f=2&t=116729) that they should not need to upgrade their plugin version, since the flaw was in the separately-installable player, which was fixed and had its version number updated; and that on some platforms, the plugin and player are entirely separate install packages. They just happen to be in a single package on windows "for convenience".
This means that even if they did increment the plugin version number, users could still upgrade the plugin and not the player, and remain vulnerable.
That means that the VLC player of any version number remains a known-insecure attack vector until/unless they release a version that either:
- explicitly prevents the relevant attacks being passed to any player, or
- restricts the vulnerable players from being used.
It is the responsibility of each plugin author to ensure that their plugins do not call known-vulnerable dependencies; it is not Mozilla's responsibility to parse each plugin's code to find what version of every single dependency it calls."
You've made one of the most incredible apps available: a simple version-check against your own software is unlikely to be beyond you, and what you gain from failing to secure your users in this way is unclear.