release upgrader launches browser as root

I am attaching animation of the steps

The exact same thing happens with the 13.04 -> 13.10 updater. I already had Firefox running. From the Release Notes window, clicking
  To see what's new in this release, visit:
   http://www.ubuntu.com/desktop/features
brings up same alert about Chromium, and starts a new Firefox window running as root.

This also happens when you click the other links in the Release Notes window, e.g. "community/participate".

WTF two f***ing years later and still not fixed.

Exact same issue upgrading from 15.04 to 15.10

Also note that launching the browser as root is a huge SECURITY issue, how can the importance possibly be just "medium"??

This is still an issue in 17.04. I've flipped this to being a security issue so hopefully it will get the attention it deserves.

$ ps aux | grep firefox
root 4497 12.8 1.0 2211388 347188 ? SNl 10:07 0:03 /usr/lib/firefox/firefox https://wiki.ubuntu.com/ArtfulAardvark/ReleaseNotes

FYI, this is going to break in Firefox 60.

Running Firefox like this (as root in a non-root user's session) has never officially been supported, due to the risk of creating root-owned files that the user can't delete, potentially being a privilege escalation vector, etc. However, this hasn't been enforced.

Until now. There are sandboxing changes coming in 60 that will, as a side effect, break "sudo firefox"-type use. Currently the browser UI will start but fail to load anything, but that's not very helpful for understanding what went wrong, so the plan is to refuse to start and print an error message; see https://bugzilla.mozilla.org/show_bug.cgi?id=1323302

This bug was fixed in the package ubuntu-release-upgrader - 1:18.04.15

---------------
ubuntu-release-upgrader (1:18.04.15) bionic; urgency=medium

  * Fix long line causing pep8 failure in autopkgtest.

 -- Marc Deslauriers <email address hidden> Sat, 07 Apr 2018 10:57:08 -0400

This bug was fixed in the package ubuntu-release-upgrader - 1:16.04.25

---------------
ubuntu-release-upgrader (1:16.04.25) xenial-security; urgency=medium

  * Properly drop permissions when opening a browser. (LP: #1174007)

 -- Marc Deslauriers <email address hidden> Mon, 09 Apr 2018 10:01:24 -0400

This bug was fixed in the package ubuntu-release-upgrader - 1:0.220.10

---------------
ubuntu-release-upgrader (1:0.220.10) trusty-security; urgency=medium

  * Properly drop permissions when opening a browser. (LP: #1174007)

 -- Marc Deslauriers <email address hidden> Mon, 09 Apr 2018 10:01:24 -0400

This bug was fixed in the package ubuntu-release-upgrader - 1:17.10.11

---------------
ubuntu-release-upgrader (1:17.10.11) artful-security; urgency=medium

  * Properly drop permissions when opening a browser. (LP: #1174007)

 -- Marc Deslauriers <email address hidden> Mon, 09 Apr 2018 10:01:24 -0400