Description
The options are ran as pure JS, with as far as I can tell, very little to no sandboxing (I haven't dug through the code to find out for sure).
Powerful objects can be used by adding code to the options. While JS allows for a lot of flexibility, allowing to be ran without any checks is very dangerous.
The simplest solution to improve security is to do this:
const optionsRaw = getSavedOptions(); // Or however you get the options
const argNames = .["`isSecureContext", "chrome", ...Object.keys(window)]
const parseOptionsFunctionRaw = new Function(..argNames, `${optionsRaw};return FS_OPTIONS`);
// Predefine a few arguments, but be sure to add them to the function argument array too.
const predefinedArgs = [window.isSecureContext, null];
const args= predefinedArgs.fill(predefinedArgs.length, paseOptionsFunctionRaw.length, null);
const parseOptions = ()=>parseOpptionsRaw.call(null, ...args);
const options = parseOptions();This makes hacking harder but doesn't make it impossible. It makes simple attacks much more difficult. The best solution is to prevent using JS at all. Perhaps have drop-downs for some common options for things that are true/false based on condition and then allow inputs that don't run as JS for flexible options.
Doing it this way helps make sure that it is harder to gain access with simple attacks, but running any JS at all, especially not in any sort of sandbox is still dangerous. A better solution would be to use a web worker, but I don't know how to implement this is a browser extension.
Also make a SECURITY.md file so people know how to report issues like this instead of creating a GitHub issue.
This issue requires someone with access to the user's browser, either locally or with some remote access program, and likely one that supports a GUI.