The WebExtension APIs in Mozilla Firefox before 43.0 allow remote attackers to gain privileges, and possibly obtain sensitive information or conduct cross-site scripting (XSS) attacks, via a crafted web site.