To quote https://bugzilla.redhat.com/show_bug.cgi?id=858034:
> Tavis Ormandy discovered that the browser extension installed as part of Gnome Shell (libgnome-shell-browser-plugin.so) would install Gnome Shell extensions without authorization from the user running the browser. While the Gnome Shell extension installer does not install these extensions directly, it does pass them to Gnome Shell via D-BUS, which then in turn installs the extension from extensions.gnome.org. If a malicious user were to upload a malicious extensions to extensions.gnome.org and coerce a user into visiting a site where the extension installer would request that application's installation, the extension would be installed without the victim's knowledge.
Note that only extensions hosted at the official extensions.gnome.org repository can be installed in this manner, and they are all supposed to be vetted, so the security impact of this is as bad as one might first expect.
I believe that all versions of gnome-shell currently in portage and the gnome overlay are affected. At the moment, there is no upstream solution; see https://bugzilla.gnome.org/show_bug.cgi?id=684215
The gnome-shell plugin 3.4.1 in GNOME allows remote attackers to force the
download and installation of arbitrary extensions from extensions.gnome.org
via a crafted web page.
upstream finally closed this as wontfix:
Gnome 3.4.* is gone from tree and 3.6/3.8 is not yet stable. Closing this as FIXED