Epiphany internal APIs are available to WebExtensions
In ephy-web-process-extension.c, window_object_cleared_cb(), we register Epiphany internal JS APIs. There are two cases:
- A world GUID was used when initializing the web process extension. This is the original, normal codepath, used by the main Epiphany web context or by WebExtensions when create_web_extensions_webview() in ephy-web-extension-manager.c is called with custom_web_context=FALSE. Epiphany internal APIs are registered in a new script world, and the GUID is used to name this script world. This ensures internal APIs cannot be used by web content.
- A world GUID is not used when initializing the web process extension. This happens when create_web_extensions_webview() in ephy-web-extension-manager.c is called with custom_web_context=TRUE. In this case, Epiphany since 5410fec7 will register its internal JS APIs in the default script world, which allows web content to use the APIs.
This means a malicious WebExtension can do nefarious things, e.g. enumerate passwords in gnome-keyring. It will only happen when create_web_extensions_webview() in ephy-web-extension-manager.c is called with custom_web_context=FALSE. I assume the APIs could be further exposed to the web if a WebExtension loads external web content.
Fortunately, the scope of this issue is very limited since WebExtension support is still experimental, disabled by default, and only recently released in version 40.alpha so not available to stable users anyway. If the bug existed in a stable release, then I would request a CVE for it. No point in bothering with that for a disabled experimental development feature.