Firefox is configured to allow JavaScript to hide or change the status bar.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-57649	DTBF-0018	SV-72059r1_rule		Medium

Description
When a user visits some webpages, JavaScript can hide or make changes to the browser’s appearance to hide unauthorized activity. This activity can help disguise an attack taking place in a minimized background window. Determines whether the text in the browser status bar may be set by JavaScript. Set and lock to True (default in Firefox) so that JavaScript access to preference settings for is disabled.

Description

When a user visits some webpages, JavaScript can hide or make changes to the browser’s appearance to hide unauthorized activity. This activity can help disguise an attack taking place in a minimized background window. Determines whether the text in the browser status bar may be set by JavaScript. Set and lock to True (default in Firefox) so that JavaScript access to preference settings for is disabled.

STIG	Date
Mozilla Firefox	2017-03-22

Details

Check Text ( C-58471r2_chk )
Procedure: In about:config, verify that the setting for the following Preference Name’s are set and locked. “dom.disable_window_status_change”, set to “true”. Criteria: If the values of the listed Preferences are not set and locked to these settings, then this is a finding.

Fix Text (F-62851r1_fix)
Set and lock the following preferences using the “Mozilla.cfg” file: “dom.disable_window_status_change”, set to “true”.