A malware can be delivered from a malicious webpage just making the user installing a malicious browser blugin, then the plugin can spy everything the user does inside the browser, show ads, redirect webpages, change browser settings etc without extending the infection outside the browser, so a function to block new browser plugins installation (and maybe an option to add some webpages as exceptions) and let the user see and remove installed plugins in installed browsers would guarantee more advanced protection.