V-251546 | High | Firefox must be configured to allow only TLS 1.2 or above. | Use of versions prior to TLS 1.2 are not permitted. SSL 2.0 and SSL 3.0 contain a number of security flaws. These versions must be disabled in compliance with the Network Infrastructure and Secure... |
V-251545 | High | The installed version of Firefox must be supported. | Using versions of an application that are not supported by the vendor is not permitted. Vendors respond to security flaws with updates and patches. These updates are not available for unsupported... |
V-251567 | Medium | Firefox fingerprinting protection must be enabled. | The Content Blocking/Tracking Protection feature stops Firefox from loading content from malicious sites. The content might be a script or an image, for example. If a site is on one of the tracker... |
V-252881 | Medium | Firefox must be configured to not delete data upon shutdown. | For diagnostic purposes, data must remain behind when the browser is closed. This is required to meet non-repudiation controls. |
V-251573 | Medium | The Firefox New Tab page must not show Top Sites, Sponsored Top Sites, Pocket Recommendations, Sponsored Pocket Stories, Searches, Highlights, or Snippets. | The New Tab page by default shows a list of built-in top sites, as well as the top sites the user has visited.
It is detrimental for applications to provide, or install by default, functionality... |
V-251580 | Medium | Firefox feedback reporting must be disabled. | Disable the menus for reporting sites (Submit Feedback, Report Deceptive Site).
It is detrimental for applications to provide, or install by default, functionality exceeding requirements or... |
V-251558 | Medium | Background submission of information to Mozilla must be disabled. | Firefox by default sends information about Firefox to Mozilla servers. There should be no background submission of technical and other information from DoD computers to Mozilla with portions... |
V-252909 | Medium | Firefox Studies must be disabled. | Studies try out different features and ideas before they are released to all Firefox users. Testing beta software is not in the DoD user's mission. |
V-252908 | Medium | Pocket must be disabled. | Pocket, previously known as Read It Later, is a social bookmarking service for storing, sharing, and discovering web bookmarks. Data gathering cloud services such as this are generally disabled in the DoD. |
V-251555 | Medium | Firefox must be configured to prevent JavaScript from raising or lowering windows. | JavaScript can raise and lower browser windows to cause improper input. Configure the browser setting to prevent scripts on visited websites from raising and lowering browser windows. |
V-251554 | Medium | Firefox must be configured to prevent JavaScript from moving or resizing windows. | JavaScript can make changes to the browser's appearance. This activity can help disguise an attack taking place in a minimized background window. Configure the browser setting to prevent scripts... |
V-251557 | Medium | Firefox must be configured to disable the installation of extensions. | A browser extension is a program that has been installed into the browser to add functionality. Where a plug-in interacts only with a web page and usually a third-party external application (e.g.,... |
V-251551 | Medium | Firefox must be configured to disable form fill assistance. | To protect privacy and sensitive data, Firefox provides the ability to configure the program so that data entered into forms is not saved. This mitigates the risk of a website gleaning private... |
V-251550 | Medium | Firefox must be configured to not automatically execute or download MIME types that are not authorized for auto-download. | Some files can be downloaded or execute without user interaction. This setting ensures these files are not downloaded and executed. |
V-251553 | Medium | Firefox must be configured to block pop-up windows. | Pop-up windows may be used to launch an attack within a new browser window with altered settings. This setting blocks pop-up windows created while the page is loading. |
V-251578 | Medium | Firefox accounts must be disabled. | Disable Firefox Accounts integration (Sync).
It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary... |
V-251577 | Medium | Firefox must be configured so that DNS over HTTPS is disabled. | DNS over HTTPS has generally not been adopted in the DoD. DNS is tightly controlled.
It is detrimental for applications to provide, or install by default, functionality exceeding requirements or... |
V-251572 | Medium | Firefox must not recommend extensions as the user is using the browser. | The Recommended Extensions program recommends extensions to users as they surf the web.
The user must not be encouraged to install extensions from the websites they visit. Allowed extensions are... |
V-251571 | Medium | Firefox deprecated ciphers must be disabled. | A weak cipher is defined as an encryption/decryption algorithm that uses a key of insufficient length. Using an insufficient length for a key in an encryption/decryption algorithm opens up the... |
V-251570 | Medium | Firefox extension recommendations must be disabled. | The Recommended Extensions program makes it easier for users to discover extensions that have been reviewed for security, functionality, and user experience. Allowed extensions are to be centrally managed. |
V-251552 | Medium | Firefox must be configured to not use a password store with or without a master password. | Firefox can be set to store passwords for sites visited by the user. These individual passwords are stored in a file and can be protected by a master password. Autofill of the password can then be... |
V-251581 | Medium | Firefox encrypted media extensions must be disabled. | Enable or disable Encrypted Media Extensions and optionally lock it.
If "Enabled" is set to "false", Firefox does not download encrypted media extensions (such as Widevine) unless the user... |
V-251547 | Medium | Firefox must be configured to ask which certificate to present to a website when a certificate is required. | When a website asks for a certificate for user authentication, Firefox must be configured to have the user choose which certificate to present. Websites within DoD require user authentication for... |
V-251568 | Medium | Firefox cryptomining protection must be enabled. | The Content Blocking/Tracking Protection feature stops Firefox from loading content from malicious sites. The content might be a script or an image, for example. If a site is on one of the tracker... |
V-251569 | Medium | Firefox Enhanced Tracking Protection must be enabled. | Tracking generally refers to content, cookies, or scripts that can collect browsing data across multiple sites.
It is detrimental for applications to provide, or install by default, functionality... |
V-251564 | Medium | Firefox search suggestions must be disabled. | Search suggestions must be disabled as this could lead to searches being conducted that were never intended to be made. |
V-251548 | Medium | Firefox must be configured to not automatically check for updated versions of installed search plugins. | Updates must be controlled and installed from authorized and trusted servers. This setting overrides a number of other settings that may direct the application to access external URLs. |
V-251549 | Medium | Firefox must be configured to not automatically update installed add-ons and plugins. | Set this to false to disable checking for updated versions of the Extensions/Themes. Automatic updates from untrusted sites puts the enclave at risk of attack and may override security settings. |
V-251560 | Medium | Firefox must have the DOD root certificates installed. | The DOD root certificates will ensure that the trust chain is established for server certificates issued from the DOD Certificate Authority (CA). |
V-251562 | Medium | Firefox must prevent the user from quickly deleting data. | There should not be an option for a user to "forget" work they have done. This is required to meet non-repudiation controls. |
V-251563 | Medium | Firefox private browsing must be disabled. | Private browsing allows the user to browse the internet without recording their browsing history/activity. From a forensics perspective, this is unacceptable. Best practice requires that browser... |
V-251566 | Medium | Firefox network prediction must be disabled. | If network prediction is enabled, requests to URLs are made without user consent. The browser should always make a direct DNS request without prefetching occurring. |
V-251559 | Low | Firefox development tools must be disabled. | Information needed by an attacker to begin looking for possible vulnerabilities in a web browser includes any information about the web browser and plug-ins or modules being used. When debugging... |
V-251565 | Low | Firefox autoplay must be disabled. | Autoplay allows the user to control whether videos can play automatically (without user consent) with audio content. The user must be able to select content that is run within the browser window. |