Good question. I decided to study this out. 3.3.4 is retired, and may contain a vulnerability.
Here there is some description, starting with an earlier vulnerability in 3.3.2.
LastPass releases fix browser extension security flaws
March 23, 2017https://www.computer...nsion-security-flaws
"Users can also update to Firefox 3.3.4, however, as we noted previously, the 3.x version of LastPass will be retired in the coming weeks.”
LastPass has fixed three bugs in the password manager discovered by Google research Tavis Ormandy in the last 24 hours.
March 22, 2017https://threatpost.c...ities-remain/124471/
"LastPass incorporated a fix for that vulnerability into version 3.3.4 of the add-on, released Wednesday morning. Firefox users should be automatically updated to the latest version, Ormandy said."
Discussion of the Ormandy-LastPass interactions:
Threatpost - March 22
LastPass Fixes Three Password Theft Vulnerabilitieshttps://threatpost.c...ities-remain/124471/
This whole discussion is good, the extract is from the last quote.
April 1, 2017https://www.boglehea...ewtopic.php?t=215129
There have been several attacks over the years against browser extensions for LastPass specifically and other password vaults in general. In most cases, this involves somehow fooling the browser extension into thinking you are on XYZ website, when you are actually on ABC website. By using the browser extension to have the convenience of automatically logging in to a site when you visit it, you've opened yourself to the risk that the browser extension is tricked this way.
The simplest solution is to just not use the browser extensions for a password vault. Take the extra 30 seconds to manually cut-and-paste the password from the vault into the website when you want to log in (or the extra minute to manually type it out). Then you don't have to worry about browser extensions being fooled, you just have to worry about you being fooled (e.g. phishing or other social engineering).
Tavis Ormandy on Twitterhttps://twitter.com/taviso
While it says there that the problem was in 3.3.2 you have this:
Is Fx extension 3.3.4 affected by the latest vulnerability?
April 7, 2017https://forums.lastp...hp?f=12&t=252675
"YES 3.3.4 is affected"Not sure if that is true,
it may have been an extrapolation from:
"All of your LastPass browser extensions should be updated to version 4.1.44 or higher"https://blog.lastpas...pass-extension.html/
Pale Moon Forum
PM 27.2.0 not allowing CRITICAL update to LASTPASShttps://forum.palemo...iewtopic.php?t=15223
Try to download 4.1.36a and install it using Moon Tester Tool, but note the warnings and restrictions while doing so! If everything works well I advise you to ask the developers about the official Pale Moon support. All the necessary technical information is here, just add this link to your request.
Major Geeks wonders if 3.3.4 has vulnerabilitieshttps://forums.major...word-manager.316936/
Reddit back and forth, how quick was Lastpass, and no clear indication on 3.3.4https://www.reddit.c...d_lastpass_password/
A competitor attacks LastPasshttps://palant.de/20...security-done-wrong/
==========================POSSIBLY 3.3.4 IS VULNERABLE - THIS IS A SECOND THINGY
Security Update for the LastPass Extension
March 27, 2017 - updated March 31https://blog.lastpas...pass-extension.html/
TavisO finds yet another LP code execution exploithttps://forums.lastp...=251065&start=10This may effect 3.3.4.
All of your LastPass browser extensions should be updated to version 4.1.44 or higher