Usually, such scanners work the same way as a proxy or a man-in-the-middle attack: they make all connections go through a locally running "proxy" process, which acts as the server as far as your browser is concerned, but also acts as a client when talking to the actual web server, therefore decrypting and re-encrypting all HTTPS connections. That way, connections can be scanned regardless of the browser used.

Such scanners avoid certificate warnings by installing a custom locally-generated CA certificate to your system, and automatically issuing temporary certificates for every website you visit. Your article confirms this by mentioning that Avast breaks Firefox's add-on updating, which implies that Firefox is seeing the certificates come from the wrong issuer than it expects.

Of course this has numerous disadvantages: it breaks security features like CA pinning (as in the Firefox example) or certificate fingerprint pinning; it hides the actual certificate information from the browser (and the user); it relies on Avast to correctly verify the server's certificate (personally I do not trust Avast to do it correctly); it might hide the actual TLS features supported by the peers (such as ALPN), forcing the browser and the server to use the (often outdated) feature set that the Avast proxy also supports...