Mozilla FireFox Security Technical Implementation Guide

The Mozilla FireFox Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]

Details

Version / Release: V4R29

Published: 2020-06-19

Updated At: 2020-08-15 20:23:00

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-33373r5_rule DTBG010 CCI-000185 MEDIUM The DOD Root Certificate is not installed. The DOD root certificate will ensure that the trust chain is established for server certificate issued from the DOD CA.System AdministratorInformation Assurance Officer
    SV-16707r1_rule DTBF050 CCI-001274 MEDIUM FireFox is configured to ask which certificate to present to a web site when a certificate is required. When a web site asks for a certificate for user authentication, Firefox must be configured to have the user choose which certificate to present. Websites within DOD require user authentication for access which increases security for DoD information. Acces
    SV-16709r1_rule DTBF100 CCI-001242 MEDIUM Firefox automatically executes or downloads MIME types which are not authorized for auto-download. The default action for file types for which a plugin is installed is to automatically download and execute the file using the associated plugin. Firefox allows you to change the specified download action so that the file is opened with a selected external
    SV-16710r3_rule DTBF105 CCI-000381 MEDIUM Network shell protocol is enabled in FireFox. Although current versions of Firefox have this set to disabled by default, use of this option can be harmful. This would allow the browser to access the Windows shell. This could allow access to the underlying system. This check verifies that the defaul
    SV-16711r4_rule DTBF110 CCI-001243 MEDIUM Firefox is not configured to prompt a user before downloading and opening required file types. New file types cannot be added directly to the helper applications or plugins listing. Files with these extensions will not be allowed to use Firefox publicly available plugins and extensions to open. The application will be configured to open these file
    SV-16712r1_rule DTBF120 CCI-001170 MEDIUM FireFox plug-in for ActiveX controls is installed. When an ActiveX control is referenced in an HTML document, MS Windows checks to see if the control already resides on the client machine. If not, the control can be downloaded from a remote web site. This provides an automated delivery method for mobile c
    SV-16713r2_rule DTBF140 CCI-000381 MEDIUM Firefox formfill assistance option is disabled. In order to protect privacy and sensitive data, Firefox provides the ability to configure Firefox such that data entered into forms is not saved. This mitigates the risk of a website gleaning private information from prefilled information.System Administ
    SV-16714r3_rule DTBF150 CCI-000381 MEDIUM Firefox is configured to autofill passwords. While on the internet, it may be possible for an attacker to view the saved password files and gain access to the user's accounts on various hosts. System Administrator
    SV-16715r2_rule DTBF160 CCI-000381 MEDIUM FireFox is configured to use a password store with or without a master password. Firefox can be set to store passwords for sites visited by the user. These individual passwords are stored in a file and can be protected by a master password. Autofill of the password can then be enabled when the site is visited. This feature could als
    SV-16717r1_rule DTBF180 CCI-000381 MEDIUM FireFox is not configured to block pop-up windows. Popup windows may be used to launch an attack within a new browser window with altered settings. This setting blocks popup windows created while the page is loading.System Administrator
    SV-16718r1_rule DTBF181 CCI-000381 MEDIUM FireFox is configured to allow JavaScript to move or resize windows. JavaScript can make changes to the browser’s appearance. This activity can help disguise an attack taking place in a minimized background window. Set browser setting to prevent scripts on visited websites from moving and resizing browser windows. Syst
    SV-16925r8_rule DTBF030 CCI-002450 MEDIUM Firefox must be configured to allow only TLS. Use of versions prior to TLS 1.1 are not permitted. SSL 2.0 and SSL 3.0 contain a number of security flaws. These versions must be disabled in compliance with the Network Infrastructure and Secure Remote Computing STIGs.System Administrator
    SV-16927r1_rule DTBF182 CCI-000381 MEDIUM Firefox is configured to allow JavaScript to raise or lower windows. JavaScript can make changes to the browser’s appearance. Allowing a website to use JavaScript to raise and lower browser windows may disguise an attack. Browser windows may not be set as active via JavaScript. System Administrator
    SV-16928r2_rule DTBF183 CCI-000381 MEDIUM Firefox is configured to allow JavaScript to disable or replace context menus. A context menu (also known as a pop-up menu) is often used in a graphical user interface (GUI) and appears upon user interaction (e.g., a right mouse click). A context menu offers a limited set of choices that are available in the current state, or contex
    SV-19509r4_rule DTBF003 CCI-003376 HIGH Installed version of Firefox unsupported. Use of versions of an application which are not supported by the vendor are not permitted. Vendors respond to security flaws with updates and patches. These updates are not available for unsupported version which can leave the application vulnerable to at
    SV-59603r1_rule DTBF090 CCI-000381 MEDIUM Firefox automatically updates installed add-ons and plugins. Set this to false to disable checking for updated versions of the Extensions/Themes. Automatic updates from untrusted sites puts the enclave at risk of attack and may override security settings.System Administrator
    SV-21890r1_rule DTBF085 CCI-000381 MEDIUM Firefox automatically checks for updated version of installed Search plugins. Updates need to be controlled and installed from authorized and trusted servers. This setting overrides a number of other settings which may direct the application to access external URLs.System AdministratorECSC-1
    SV-79381r3_rule DTBF186 CCI-000381 MEDIUM Extensions install must be disabled. A browser extension is a program that has been installed into the browser which adds functionality to it. Where a plug-in interacts only with a web page and usually a third party external application (Flash, Adobe Reader) an extension interacts with the b
    SV-93759r3_rule DTBF190 CCI-000381 MEDIUM Background submission of information to Mozilla must be disabled. There should be no background submission of technical and other information from DoD computers to Mozilla with portions posted publically.
    SV-106633r2_rule DTBF195 CCI-001312 LOW Firefox Development Tools Must Be Disabled. While the risk associated with browser development tools is more related to the proper design of a web application, a risk vector remains within the browser. The developer tools allow end users and application developers to view and edit all types of web
    SV-111837r1_rule DTBF200 CCI-000381 MEDIUM Telemetry must be disabled. The Telemetry feature provides this capability by sending performance and usage info to Mozilla. As you use Firefox, Telemetry measures and collects non-personal information, such as performance, hardware, usage and customizations. It then sends this info
    SV-111839r1_rule DTBF205 CCI-000381 MEDIUM Telemetry archive must be disabled. The Telemetry feature provides this capability by sending performance and usage info to Mozilla. As you use Firefox, Telemetry measures and collects non-personal information, such as performance, hardware, usage and customizations. It then sends this info
    SV-111841r1_rule DTBF210 CCI-000381 MEDIUM Fingerprinting protection must be enabled. The Content Blocking/Tracking Protection feature stops Firefox from loading content from malicious sites. The content might be a script or an image, for example. If a site is on one of the tracker lists you set Firefox to use, then the fingerprinting scri
    SV-111843r1_rule DTBF215 CCI-000381 MEDIUM Cryptomining protection must be enabled. The Content Blocking/Tracking Protection feature stops Firefox from loading content from malicious sites. The content might be a script or an image, for example. If a site is on one of the tracker lists you set Firefox to use, then the fingerprinting scri
    SV-111845r1_rule DTBF220 CCI-000381 MEDIUM Enhanced Tracking Protection must be enabled. Tracking generally refers to content, cookies, or scripts that can collect your browsing data across multiple sites.
    SV-111847r1_rule DTBF225 CCI-000381 MEDIUM Extension recommendations must be disabled. The Recommended Extensions program will make it easier for users to discover extensions that have been reviewed for security, functionality, and user experience.
    SV-111849r1_rule DTBF230 CCI-000381 LOW Activity Stream must be disabled. Activity Stream for Firefox is a collection of activity in the browser that is recorded and displayed in new tabs/windows.
    SV-111851r1_rule DTBF235 CCI-002450 MEDIUM Deprecated ciphers must be disabled. A weak cipher is defined as an encryption/decryption algorithm that uses a key of insufficient length. Using an insufficient length for a key in an encryption/decryption algorithm opens up the possibility (or probability) that the encryption scheme could