| V-17988 | High | Installed version of Firefox unsupported. | Use of versions of an application which are not supported by the vendor are not permitted. Vendors respond to security flaws with updates and patches. These updates are not available for... |
| V-57663 | High | Installed version of Firefox unsupported. | Use of versions of an application which are not supported by the vendor are not permitted. Vendors respond to security flaws with updates and patches. These updates are not available for... |
| V-15986 | Medium | Firefox is configured to allow JavaScript to disable or replace context menus. | A context menu (also known as a pop-up menu) is often used in a graphical user interface (GUI) and appears upon user interaction (e.g., a right mouse click). A context menu offers a limited set of... |
| V-57675 | Medium | Default behavior must block webpages from automatically running plugins. | This policy allows you to set whether websites are allowed to automatically run plugins. Automatically running plugins can be either allowed for all websites or denied for all websites. |
| V-57677 | Medium | Extensions must be disabled by default. | A browser extension is a program that has been installed into the browser which adds functionality to it. Where a plug-in interacts only with a web page and usually a third party external... |
| V-57671 | Medium | Prevent the Deletion of Browsing Data | When a browser accesses a website, a record containing history data must be made that attributes the access to a user and contains, at a minimum, the URL of the site visited and the time and date... |
| V-57673 | Medium | Disable Firefox Sync | Disables data synchronization in Firefox using Mozilla-hosted synchronization services and prevents users from changing this setting. If you enable this setting, users cannot change or override... |
| V-57605 | Medium | Firefox is configured to allow use of SSL 2.0. | Use of versions prior to TLS 1.0 is not permitted because these versions are non-standard. SSL 2.0 and SSL 3.0 contain a number of security flaws. These versions must be disabled in compliance... |
| V-57679 | Medium | Disable Firefox crash reporter. | Enables anonymous reporting of usage and crash-related data about Firefox to Mozilla and prevents users from changing this setting. If you enable this setting, anonymous reporting of usage and... |
| V-15773 | Medium | FireFox plug-in for ActiveX controls is installed. | When an ActiveX control is referenced in an HTML document, MS Windows checks to see if
the control already resides on the client machine. If not, the control can be downloaded from a
remote web... |
| V-15985 | Medium | Firefox is configured to allow JavaScript to raise or lower windows. | JavaScript can make changes to the browser’s appearance. Allowing a website to use JavaScript to raise and lower browser windows may disguise an attack. Browser windows may not be set as active... |
| V-57659 | Medium | Firefox is not configured to provide warnings when a user switches from a secure (SSL-enabled) to a non-secure page. | Users may not be aware that the information being viewed under secure conditions in a previous page are not currently being viewed under the same security settings. |
| V-6318 | Medium | The DOD Root Certificate is not installed. | The DOD root certificate will ensure that the trust chain is established for server certificate issued from the DOD CA. |
| V-15777 | Medium | Firefox does not clear cookies upon closing. | Cookies can help websites perform better but can also be part of spyware. To mitigate this risk, set browser preferences to perform a Clear Private Data operation when closing the browser in... |
| V-57651 | Medium | Firefox is configured to allow JavaScript to change the status bar text. | JavaScript can make changes to the browser’s appearance. This activity can help disguise an attack taking place in a minimized background window. Webpage authors can disable many features of a... |
| V-15987 | Medium | Firefox is configured to allow JavaScript to hide or change the status bar. | When a user visits some webpages, JavaScript can hide or make changes to the browser’s appearance to hide unauthorized activity. This activity can help disguise an attack taking place in a... |
| V-15988 | Medium | Firefox is configured to allow JavaScript to change the status bar text. | JavaScript can make changes to the browser’s appearance. This activity can help disguise an attack taking place in a minimized background window. Webpage authors can disable many features of a... |
| V-57587 | Medium | Network shell protocol is enabled in Firefox. | Although current versions of Firefox have this set to disabled by default, use of this option can be harmful. This would allow the browser to access the Windows shell. This could allow access to... |
| V-57585 | Medium | Firefox automatically executes or downloads MIME types which are not authorized for auto-download. | The default action for file types for which a plugin is installed is to automatically download and execute the file using the associated plugin. Firefox allows you to change the specified download... |
| V-57597 | Medium | Firefox is configured to use a password store with or without a master password. | Firefox can be set to store passwords for sites visited by the user. These individual passwords are stored in a file and can be protected by a master password. Autofill of the password can then... |
| V-57583 | Medium | Firefox is configured to ask which certificate to present to a web site when a certificate is required. | When a web site asks for a certificate for user authentication, Firefox must be configured to have the user choose which certificate to present. Websites within DOD require user authentication for... |
| V-57581 | Medium | Firefox is configured to allow use of SSL 3.0. | DoD implementations of SSL must use TLS 1.0 in accordance with the Network Infrastructure STIG. Earlier versions of SSL have known security vulnerabilities and are not authorized for use in DOD.... |
| V-19743 | Medium | Firefox required security preferences cannot be changed by user. | Locked settings prevent users from accessing about:config and changing the security settings set by the system administrator. Locked settings should be placed in the mozilla.cfg file. The... |
| V-19742 | Medium | Firefox automatically updates installed add-ons and plugins. | Set this to false to disable checking for updated versions of the Extensions/Themes. Automatic updates from untrusted sites puts the enclave at risk of attack and may override security settings. |
| V-19741 | Medium | Firefox application is set to auto-update. | Allowing software updates from non-trusted sites can introduce settings that will override a secured installation of the application. This can place DoD information at risk. If this setting is... |
| V-57589 | Medium | Firefox not configured to prompt user before download and opening for required file types. | New file types cannot be added directly to the helper applications or plugins listing. Files with these extensions will not be allowed to use Firefox publicly available plugins and extensions to... |
| V-19744 | Medium | Firefox automatically checks for updated version of installed Search plugins. | Updates need to be controlled and installed from authorized and trusted servers. This setting overrides a number of other settings which may direct the application to access external URLs. |
| V-15768 | Medium | FireFox is configured to ask which certificate to present to a web site when a certificate is required. | When a web site asks for a certificate for user authentication, Firefox must be configured to have the user choose which certificate to present. Websites within DOD require user authentication for... |
| V-15983 | Medium | Firefox must be configured to allow only TLS. | Use of versions prior to TLS 1.1 are not permitted. SSL 2.0 and SSL 3.0 contain a number of security flaws. These versions must be disabled in compliance with the Network Infrastructure and Secure... |
| V-15771 | Medium | Network shell protocol is enabled in FireFox. | Although current versions of Firefox have this set to disabled by default, use of this option can be harmful. This would allow the browser to access the Windows shell. This could allow access to... |
| V-57579 | Medium | The DOD Root Certificate is not installed. | The DOD root certificate will ensure that the trust chain is established for server certificate issued from the DOD CA. |
| V-57667 | Medium | Firefox automatically updates installed add-ons and plugins. | Set this to false to disable checking for updated versions of the Extensions/Themes. Automatic updates from untrusted sites put the enclave at risk of attack and may override security settings. |
| V-57665 | Medium | Firefox application is set to auto-update. | Allowing software updates from non-trusted sites can introduce settings that will override a secured installation of the application. This can place DoD information at risk. If this setting is... |
| V-57669 | Medium | Firefox automatically checks for updated version of installed Search plugins. | Updates need to be controlled and installed from authorized and trusted servers. This setting overrides a number of other settings which may direct the application to access external URLs. |
| V-57681 | Medium | Auto-complete must be disabled | This AutoComplete feature suggests possible matches when users are filling in forms and searches. It is possible that this feature will cache sensitive data and store it in the user's profile,... |
| V-57661 | Medium | The Firefox browser home page is not set to blank or a trusted site. | The browser home page parameter specifies the web page that is to be displayed when the browser is started explicitly and when product-specific buttons or key sequences for the home page are... |
| V-57649 | Medium | Firefox is configured to allow JavaScript to hide or change the status bar. | When a user visits some webpages, JavaScript can hide or make changes to the browser’s appearance to hide unauthorized activity. This activity can help disguise an attack taking place in a... |
| V-64891 | Medium | Extensions install must be disabled. | A browser extension is a program that has been installed into the browser which adds functionality to it. Where a plug-in interacts only with a web page and usually a third party external... |
| V-57607 | Medium | Firefox is not configured to allow use of TLS 1.0 and above. | DoD implementations of SSL must use TLS 1.0 in accordance with the Network Infrastructure STIG. Earlier versions of SSL have known security vulnerabilities and are not authorized for use in DOD. |
| V-57601 | Medium | Firefox is not configured to block pop-up windows. | Popup windows may be used to launch an attack within a new browser window with altered settings. This setting blocks popup windows created while the page is loading. |
| V-57603 | Medium | Firefox is configured to allow JavaScript to move or resize windows. | JavaScript can make changes to the browser’s appearance. This activity can help disguise an attack taking place in a minimized background window. Set browser setting to prevent scripts on visited... |
| V-57643 | Medium | Firefox is configured to allow JavaScript to raise or lower windows. | JavaScript can make changes to the browser’s appearance. Allowing a website to use JavaScript to raise and lower browser windows may disguise an attack. Browser windows may not be set as active... |
| V-57647 | Medium | Firefox is configured to allow JavaScript to disable or replace context menus. | A context menu (also known as a pop-up menu) is often used in a graphical user interface (GUI) and appears upon user interaction (e.g., a right mouse click). A context menu offers a limited set of... |
| V-15776 | Medium | FireFox is configured to use a password store with or without a master password. | Firefox can be set to store passwords for sites visited by the user. These individual passwords are stored in a file and can be protected by a master password. Autofill of the password can then... |
| V-57595 | Medium | Firefox is configured to autofill passwords. | While on the internet, it may be possible for an attacker to view the saved password files and gain access to the user's accounts on various hosts. |
| V-15774 | Medium | Firefox formfill assistance option is disabled. | In order to protect privacy and sensitive data, Firefox provides the ability to configure Firefox such that data entered into forms is not saved. This mitigates the risk of a website gleaning... |
| V-15775 | Medium | Firefox is configured to autofill passwords. | While on the internet, it may be possible for an attacker to view the saved password files and gain access to the user's accounts on various hosts. |
| V-15772 | Medium | Firefox not configured to prompt user before download and opening for required file types. | New file types cannot be added directly to the helper applications or plugins listing. Files with these extensions will not be allowed to use Firefox publicly available plugins and extensions to... |
| V-57591 | Medium | Firefox plugin for ActiveX controls is installed. | When an ActiveX control is referenced in an HTML document, MS Windows checks to see if the control already resides on the client machine. If not, the control can be downloaded from a remote web... |
| V-15770 | Medium | Firefox automatically executes or downloads MIME types which are not authorized for auto-download. | The default action for file types for which a plugin is installed is to automatically download and execute the file using the associated plugin. Firefox allows you to change the specified download... |
| V-57593 | Medium | Firefox formfill assistance option is disabled. | In order to protect privacy and sensitive data, Firefox provides the ability to configure Firefox such that data entered into forms is not saved. This mitigates the risk of a website gleaning... |
| V-15989 | Medium | Firefox is not configured to provide warnings when a user switches from a secure (SSL-enabled) to a non-secure page. | Users may not be aware that the information being viewed under secure conditions in a previous page are not currently being viewed under the same security settings. |
| V-57599 | Medium | Firefox does not clear cookies upon closing. | Cookies can help websites perform better but can also be part of spyware. To mitigate this risk, set browser preferences to perform a Clear Private Data operation when closing the browser in... |
| V-15778 | Medium | FireFox is not configured to block pop-up windows. | Popup windows may be used to launch an attack within a new browser window with altered settings. This setting blocks popup windows created while the page is loading. |
| V-15779 | Medium | FireFox is configured to allow JavaScript to move or resize windows.
| JavaScript can make changes to the browser’s appearance. This activity can help disguise an attack taking place in a minimized background window. Set browser setting to prevent scripts on visited... |
