Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
Extensions must be disabled by default.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-57677 | DTBF-0030 | SV-72087r1_rule | Medium |
| Description |
|---|
| A browser extension is a program that has been installed into the browser which adds functionality to it. Where a plug-in interacts only with a web page and usually a third party external application (Flash, Adobe Reader) an extension interacts with the browser program itself. Extensions are not embedded in web pages and must be downloaded and installed in order to work. Extensions allow browsers to avoid restrictions which apply to web pages. For example, a Chrome extension can be written to combine data from multiple domains and present it when a certain page is accessed which can be considered Cross Site Scripting. If a browser is configured to allow unrestricted use of extension then plug-ins can be loaded and installed from malicious sources and used on the browser. The browser must have the ability to identify extensions and allow only accepted extensions to execute. The browser must blacklist extensions by default. |
| STIG | Date |
|---|---|
| Mozilla Firefox | 2017-03-22 |
Details
| Check Text ( C-58499r2_chk ) |
|---|
| Procedure: In about:config, verify that the setting for the following preferences are set and locked. “xpinstall.enabled”, set to “false”. Criteria: If the values of the listed Preferences are not set and locked to these settings, then this is a finding. |
| Fix Text (F-62879r1_fix) |
|---|
| Set and lock the following preferences using the “Mozilla.cfg” file: “xpinstall.enabled”, set to “false”. |