NSIS vulnerable to Dll hijacking SHFOLDER.DLL

I don't understand why nobody ever responds to serious and valid concerns like this? If the app/platform is not secure then it should be noted and something should be done.

The vulnerability issue is mainly an issue as it concerns downloads in the Downloads folder due to the fact that Google Chrome and browsers based on it will allow any site to download infected DLLs directly to that folder without user interaction. Due to that fact, the PortableApps.com Installer has been using patched versions of NSIS since they were released to counteract that (starting with the NSIS 3 betas). It currently bundles NSIS 3 internally uses that to build .paf.exe installers, not NSIS Portable.

If your machine is already infected with arbitrary DLLs outside the Download directory, chances are it's already been fully compromised as local privilege escalation vulnerabilities are fairly common on Windows. There is still a risk of an app you've granted admin rights to falling prey to this issue specifically, though, which brings us to...

As for NSIS Portable itself, both the ANSI and Unicode releases are shortly being replaced by NSIS Portable 3 which is in testing. We're finalizing some of the conversion bits since this upgrade breaks a bunch of NSIS scripts: https://portableapps.com/node/55424

If you'd like to assist with progress, please help test.