I don't think, that removing this package from Debian is the right
way. Users who have it installed get no notice and would keep this
(apparent) malware. There should be a new package version, that does
not contain the plugin anymore (like transitional packages), for
both stable-sec and unstable (maybe oldstable too)?
Pkg-mozext-maintainers mailing list