More testing has been done over the weekend and here's the details. First to address a response from Stefan Benter -
This issue manifested itself not on a Debian Bullseye, it manifests itself on a Debian: Distributor ID: Debian Description: Debian GNU/Linux 10 (buster) Release: 10 Codename: buster Kernel: Linux 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 GNU/Linux This bug specifically manifest itself on systems running: GNOME: 3.30.2 Graphics: Device-1: Intel 3rd Gen Core processor Graphics driver: i915 v: kernel Display: wayland server: X.Org 1.20.4 driver: i915 resolution: 2560x1080~60Hz OpenGL: renderer: Mesa DRI Intel Ivybridge Mobile v: 4.2 Mesa 18.3.6 This bug only evident (in my testing) when the following condition exits: System has installed package 'firefox-esr' version - 78.6.1esr-1~deb10u1 (from Debian repo) AND (!) system has installed package 'tor-browser' version - 78.6.0esr - 10.0.7 (from Tor Project directly) When both of those packages are present on the system, it causes some sort of a conflict with in the GNOME UI, specifically, how GNOME processes mouse clicks on the UI elements. This condition arises due to the delay between a point in time when Mozilla releases a new version of firefox, and time-frame it takes for TorProject to code, test, and release an updated version of the TorBrowser based on the most recent version of the firefox by Mozilla. As of today, Jan 17, 2021, once both packages have the same versions: firefox-esr 78.6.1esr-1~deb10u1 and torbrowser 78.6.1esr - 10.0.8 ... the GNOME UI big in handling mouse 'left' clicks + 'right' clicks - NO LONGER exists. On the systems (it has been verified) with the versions mismatch, GNOME is NOT properly handling mouse clicks. That's the bug I have experienced. This issue took place on a multiple different (hardware) machines. Regarding the content of: Location: /usr/lib/firefox-esr/browser/omni.ja ... the concern is not the presence of this file, the concern is of it's content, specifically references to the 'extensions'. This is an excerpt from: Location: /usr/lib/firefox-esr/browser/omni.ja -- Extensions information Name: Amazon.com Location: /usr/lib/firefox-esr/browser/omni.ja Package: firefox-esr Status: enabled Name: Bing Location: /usr/lib/firefox-esr/browser/omni.ja Package: firefox-esr Status: enabled Name: DoH Roll-Out Location: /usr/lib/firefox-esr/browser/features/doh-roll...@mozilla.org.xpi Package: firefox-esr Status: enabled Name: eBay Location: /usr/lib/firefox-esr/browser/omni.ja Package: firefox-esr Status: enabled Name: Firefox Screenshots Location: /usr/lib/firefox-esr/browser/features/screensh...@mozilla.org.xpi Package: firefox-esr Status: enabled Name: Google Location: /usr/lib/firefox-esr/browser/omni.ja Package: firefox-esr Status: enabled There is no place in the firefox-esr GUI that shows/discloses to the users presence of these extensions, while clearly they are present AND enabled! There is no place in firefox-esr to locate and control, disable these extensions. I consider this a security issue and potentially a violation of core values of the Debian Project. Therefor, I would like to ask Debian Security Team to review and potentially mark this ticket as 'Serious' if not 'Critical'. This is a security issue and I don't think should be taken lightly. Damien