Security researcher Muneaki Nishimura (nishimunea) of Recruit Technologies Co., Ltd. reported that the chrome.tabs.update API for web extensions allows for navigation to javascript: URLs without additional permissions. This can used to elevate privilege for a universal cross-site scripting (XSS) attack by a malicious web extension. It can also be used to inject content into other extensions if they load content within browser tabs. External Reference: https://www.mozilla.org/security/announce/2016/mfsa2016-46.html
Acknowledgments: Name: the Mozilla project Upstream: Muneaki Nishimura