How can I determine the add-on that's causing this sketchy pop-up I'm seeing in Firefox on MacOS?

TL;DR

This is a very long answer, as I have documented all my research below. If you don't care about that, what I found was that this is a legitimate Firefox pop-up and what it is asking for is the password to open a certificate chain called My Computer (PIN Required). This appears to be installed by Symantec via the Symantec PKI Client.

If you have this problem and know that you don't need the Symantec Security Module in Firefox, just do the following:

1. Select ☰ → Preferences → Privacy & Security → Certificates → Security Devices
2. The "Device Manager" window will open. In the Security Modules and Devices list on the lef-hand, select Symantec Security Module and click Unload on the right.

If you get this and are also confused, I've opened the following feature request in the Firefox Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1651688. If you have substantial information to add, you can add it there (but please refrain from "me too" comments!)

Full journey to discover the source of the popup

First off, I don't know the answer to the core question, which is "how can I determine what is responsible for a popup in Firefox". This, in itself, is a problem which Mozilla should address.

However, I have found clues that lead me to believe that the popup is actually from Firefox itself.

First off, my setup: I use Firefox on multiple devices, some Windows, some Mac. I have Firefox Sync set up between them. I don't know if this is important, but it's a data point. I only ever see this on my Mac.

Second, I've tried nuking my profile and the problem magically reappears after a while. I initially thought that this was caused by Firefox Sync reinstalling the faulty/malicious extension that causes the popup. I now suspect this isn't the case.

I can consistently recreate the error by either:

1. Restarting Firefox, after a few seconds, this pops up as a modal in one the Firefox windows (note that it isn't modal in other windows in case of a session restore with multiple windows).

2. Changing network state. Either of the following will provoke the popup in a running Firefox:

   a. Disabling Wifi

   b. Re-enabling wifi

   c. Connecting to a VPN

From the above, it is my suspicion that any network or application state change will prompt this.

After attempting to manually uninstall extensions and still consistently getting the popup, and searching the the text in all of my profile, my gaze fell on Firefox itself.

Searching the Firefox application file for variations of the prompt text, gives the following:

$ find /Applications/Firefox.app/ -type f -exec grep -H "Please enter the master password for the" {} \;
Binary file /Applications/Firefox.app//Contents/Resources/omni.ja matches

This is a ZIP file (but luckily without compression, so the texts are visible). Unzipping this to a temporary location (called ~/omni.ja here), uncovers this:

$ find ~/omni.ja -type f -exec grep -H "Please enter the master password for the" {} \;
~/omni.ja/chrome/en-CA/locale/en-CA/pipnss/pipnss.properties:CertPassPrompt=Please enter the master password for the %S.

Hoping that the use of this resource was in the same file, I tried this:

$ find ~/omni.ja -type f -exec grep -H "CertPassPrompt" {} \;
~/omni.ja/chrome/en-CA/locale/en-CA/pipnss/pipnss.properties:CertPassPrompt=Please enter the master password for the %S.
~/omni.ja/chrome/en-CA/locale/en-CA/pipnss/pipnss.properties:CertPassPromptDefault=Please enter your master password.

This is very interesting to me. It tells me that it is similar code that uses the Firefox master password and this odd prompt. In the latter case, the text "My Computer (PIN Required)" would be passed in.

Searching for My Computer in the Firefox bundle and my local profiles yielded nothing, so this string is from some external source.

Searching the Web for "My Computer (PIN Required)" did uncover the following: https://www.hybrid-analysis.com/sample/57db1053fe642fbdf93f13537b9f38290e4bc28b310b607124cca43d614321fc?environmentId=120

So it looks like it is related to an attempt to access a certificate keystore with a name that is specific to the Symantec PKI Client.

Looking into my setup on my Mac, it turns out that my employer have installed a PKI Client executable that appears to provide a virtual device called "My Computer (PIN Required)". I believe the certificate chains in this device is used for authentication on the company Wi-Fi.

Some more digging around in the Mozilla source, I found that this is used in nsNSSCallbacks.cpp. This seems to be related to "PK11", again pointing to this being certificate-related. Some further digging in the related source code documentation for the pkcs11 module, which references "PKCS#11 Modules" in the Firefox settings. Note that the Mozilla doc is for Windows. On Mac, the route is ☰ → Preferences → Privacy & Security → Certificates → Security Devices. I had this:

As mentioned, I believe the Symantec module is used only for my company's Wi-fi, so I selected the Symantec Security Module group in this dialog and clicked Unload.

This has so far eliminated the pop-up.