[PM-21724] - add safari and firefox to list of potential browser vendors

[jaasen-livefront]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-21724

📔 Objective

This PR adds safari and firefox to the list of potential browser vendors for the autofill spotlight nudge.

📸 Screenshots

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – 4bf87e29-1244-4b15-be24-71a9878a5652

New Issues (5)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CVE-2024-53382	Npm-prismjs-1.29.0	details Recommended version: 1.30.0 Description: Prism (aka PrismJS) allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), bec... Attack Vector: NETWORK Attack Complexity: HIGH ID: Cer%2B264aEN20Bs2N8LskT7MA1qQFsaOaxv7hiAYeC2E%3D Vulnerable Package
	CVE-2025-32996	Npm-http-proxy-middleware-2.0.7	details Recommended version: 2.0.9 Description: In http-proxy-middleware v1.3.0 through v2.0.7 and v3.x through v3.0.3, "writeBody" function can be called twice because "else if" is not used. Attack Vector: NETWORK Attack Complexity: HIGH ID: q6Ay1Ke9wNfvERGnkVaDmZ2Iozp%2F91ylFGiVcWKOZ3U%3D Vulnerable Package
	CVE-2025-32997	Npm-http-proxy-middleware-2.0.7	details Recommended version: 2.0.9 Description: In http-proxy-middleware versions 1.3.0 through 2.0.8 and 3.x through 3.0.4, the "fixRequestBody" function proceeds even if "bodyParser" has failed. Attack Vector: NETWORK Attack Complexity: HIGH ID: Syu5noiRawRstULSHpDor3z5RCwNoNT6ZBoFuX9hxV8%3D Vulnerable Package
	Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 380	details The application takes sensitive, personal data cipher, found at line 380 of /apps/cli/src/commands/get.command.ts, and stores it in an unprotecte... ID: tl7kTfqlNhtkiOLy4ntykc%2FwVtY%3D Attack Vector
	Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 330	details The application takes sensitive, personal data cipher, found at line 330 of /apps/cli/src/commands/get.command.ts, and stores it in an unprotecte... ID: OBWW4nprBk%2FOnHBdgKy26RfA%2Fzw%3D Attack Vector

Fixed Issues (2)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 378
	Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 377

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 7 lines in your changes missing coverage. Please review.

Project coverage is 36.33%. Comparing base (b7bbf99) to head (4dd669f).
Report is 69 commits behind head on main.

✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
.../src/autofill/popup/settings/autofill.component.ts	0.00%	7 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #14857      +/-   ##
==========================================
- Coverage   36.49%   36.33%   -0.16%     
==========================================
  Files        3200     3200              
  Lines       92679    93309     +630     
  Branches    16694    16858     +164     
==========================================
+ Hits        33822    33904      +82     
- Misses      56403    56969     +566     
+ Partials     2454     2436      -18     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[jprusik]

How are we representing the case where the client is Unknown now?

Even if our logic currently covers every known vendor case, could we have a fallback for unexpected cases? Otherwise you risk concatenating "undefined" into the string, no?

Suggested change

	get browserClientVendorExtended() {
	if (this.browserClientVendor !== BrowserClientVendors.Unknown) {
	return this.browserClientVendor;
	}
	if (this.platformUtilsService.isFirefox()) {
	return "Firefox";
	}
	if (this.platformUtilsService.isSafari()) {
	return "Safari";
	}
	return this.i18nService.t("turnOffBrowserAutofill", this.browserClientVendor);
	}
	get spotlightButtonText() {
	return this.i18nService.t("turnOffBrowserAutofill", this.browserClientVendorExtended);
	}
	get browserClientVendorExtended() {
	if (this.browserClientVendor !== BrowserClientVendors.Unknown) {
	return this.browserClientVendor;
	}
	if (this.platformUtilsService.isFirefox()) {
	return "Firefox";
	}
	if (this.platformUtilsService.isSafari()) {
	return "Safari";
	}
	return BrowserClientVendors.Unknown;
	}
	get spotlightButtonText() {
	if (this.browserClientVendorExtended === BrowserClientVendors.Unknown) {
	return this.i18nService.t("turnOffAutofill");
	}
	return this.i18nService.t("turnOffBrowserAutofill", this.browserClientVendorExtended);
	}

[jaasen-livefront]

@jprusik Ah yes ofc. Thanks for pointing this out. I've pushed an update with a small addition to your suggestion.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud