Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

Mozilla Firefox Security Technical Implementation Guide

V6R1 · · · Released 14 Nov 2021 · 37 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
Digest of Updates vs. V5R2 · 23 Jul 2021 +37 −27

Comparison against the immediately-prior release (V5R2). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.

Added rules 37

  • V-251545 High The installed version of Firefox must be supported.
  • V-251546 High Firefox must be configured to allow only TLS 1.2 or above.
  • V-251547 Medium Firefox must be configured to ask which certificate to present to a website when a certificate is required.
  • V-251548 Medium Firefox must be configured to not automatically check for updated versions of installed search plugins.
  • V-251549 Medium Firefox must be configured to not automatically update installed add-ons and plugins.
  • V-251550 Medium Firefox must be configured to not automatically execute or download MIME types that are not authorized for auto-download.
  • V-251551 Medium Firefox must be configured to disable form fill assistance.
  • V-251552 Medium Firefox must be configured to not use a password store with or without a master password.
  • V-251553 Medium Firefox must be configured to block pop-up windows.
  • V-251554 Medium Firefox must be configured to prevent JavaScript from moving or resizing windows.
  • V-251555 Medium Firefox must be configured to prevent JavaScript from raising or lowering windows.
  • V-251556 Medium Firefox must be configured to prevent JavaScript from disabling or replacing context menus.
  • V-251557 Medium Firefox must be configured to disable the installation of extensions.
  • V-251558 Medium Background submission of information to Mozilla must be disabled.
  • V-251559 Low Firefox development tools must be disabled.
  • V-251560 Medium Firefox must have the DoD root certificates installed.
  • V-251561 Medium Firefox must be configured to not delete data upon shutdown.
  • V-251562 Medium Firefox must prevent the user from quickly deleting data.
  • V-251563 Medium Firefox private browsing must be disabled.
  • V-251564 Medium Firefox search suggestions must be disabled.
  • V-251565 Low Firefox autoplay must be disabled.
  • V-251566 Medium Firefox network prediction must be disabled.
  • V-251567 Medium Firefox fingerprinting protection must be enabled.
  • V-251568 Medium Firefox cryptomining protection must be enabled.
  • V-251569 Medium Firefox Enhanced Tracking Protection must be enabled.
  • V-251570 Medium Firefox extension recommendations must be disabled.
  • V-251571 Medium Firefox deprecated ciphers must be disabled.
  • V-251572 Medium Firefox must not recommend extensions as the user is using the browser.
  • V-251573 Medium The Firefox New Tab page must not show top sites.
  • V-251574 Medium The Firefox New Tab page must not show recommended stories.
  • V-251575 Medium The Firefox New Tab page must not show highlights.
  • V-251576 Medium The Firefox New Tab page must not show snippets.
  • V-251577 Medium Firefox must be configured so that DNS over HTTPS is disabled.
  • V-251578 Medium Firefox accounts must be disabled.
  • V-251579 Medium Firefox updates must not run in the background.
  • V-251580 Medium Firefox feedback reporting must be disabled.
  • V-251581 Medium Firefox encrypted media extensions must be disabled.

Removed rules 27

  • V-223151 High Installed version of Firefox unsupported.
  • V-223152 Medium Firefox must be configured to allow only TLS.
  • V-223153 Medium FireFox is configured to ask which certificate to present to a web site when a certificate is required.
  • V-223154 Medium Firefox automatically checks for updated version of installed Search plugins.
  • V-223155 Medium Firefox automatically updates installed add-ons and plugins.
  • V-223156 Medium Firefox automatically executes or downloads MIME types which are not authorized for auto-download.
  • V-223157 Medium Network shell protocol is enabled in FireFox.
  • V-223158 Medium Firefox is not configured to prompt a user before downloading and opening required file types.
  • V-223159 Medium FireFox plug-in for ActiveX controls is installed.
  • V-223160 Medium Firefox formfill assistance option is disabled.
  • V-223161 Medium Firefox is configured to autofill passwords.
  • V-223162 Medium FireFox is configured to use a password store with or without a master password.
  • V-223163 Medium FireFox is not configured to block pop-up windows.
  • V-223164 Medium FireFox is configured to allow JavaScript to move or resize windows.
  • V-223165 Medium Firefox is configured to allow JavaScript to raise or lower windows.
  • V-223166 Medium Firefox is configured to allow JavaScript to disable or replace context menus.
  • V-223167 Medium Extensions install must be disabled.
  • V-223168 Medium Background submission of information to Mozilla must be disabled.
  • V-223169 Low Firefox Development Tools Must Be Disabled.
  • V-223170 Medium Telemetry must be disabled.
  • V-223171 Medium Telemetry archive must be disabled.
  • V-223172 Medium Fingerprinting protection must be enabled.
  • V-223173 Medium Cryptomining protection must be enabled.
  • V-223174 Medium Enhanced Tracking Protection must be enabled.
  • V-223175 Medium Extension recommendations must be disabled.
  • V-223177 Medium Deprecated ciphers must be disabled.
  • V-223179 Medium The DOD Root Certificate is not installed.
Sort by
c
The installed version of Firefox must be supported.
SI-2 - High - CCI-002605 - V-251545 - SV-251545r807107_rule
RMF Control
SI-2
Severity
H
CCI
CCI-002605
Version
FFOX-00-000001
Vuln IDs
  • V-251545
Rule IDs
  • SV-251545r807107_rule
Using versions of an application that are not supported by the vendor is not permitted. Vendors respond to security flaws with updates and patches. These updates are not available for unsupported versions, which can leave the application vulnerable to attack.
Checks: C-54980r807105_chk

Run Firefox. Click the ellipsis button >> Help >> About Firefox, and view the version number. If the Firefox version is not a supported version, this is a finding.

Fix: F-54934r807106_fix

Upgrade the version of the browser to an approved version by obtaining software from the vendor or other trusted source.

c
Firefox must be configured to allow only TLS 1.2 or above.
AC-17 - High - CCI-001453 - V-251546 - SV-251546r807110_rule
RMF Control
AC-17
Severity
H
CCI
CCI-001453
Version
FFOX-00-000002
Vuln IDs
  • V-251546
Rule IDs
  • SV-251546r807110_rule
Use of versions prior to TLS 1.2 are not permitted. SSL 2.0 and SSL 3.0 contain a number of security flaws. These versions must be disabled in compliance with the Network Infrastructure and Secure Remote Computing STIGs.
Checks: C-54981r807108_chk

Type "about:policies" in the browser window. If "SSLVersionMin" is not displayed under Policy Name or the Policy Value is not "tls1.2", this is a finding.

Fix: F-54935r807109_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox\ Policy Name: Minimum SSL version enabled Policy State: Enabled Policy Value: TLS 1.2 macOS "plist" file: Add the following: <key>SSLVersionMin</key> <string>tls1.2</string> Linux "policies.json" file: Add the following in the policies section: "SSLVersionMin": tls1.2

b
Firefox must be configured to ask which certificate to present to a website when a certificate is required.
IA-5 - Medium - CCI-000187 - V-251547 - SV-251547r807113_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000187
Version
FFOX-00-000003
Vuln IDs
  • V-251547
Rule IDs
  • SV-251547r807113_rule
When a website asks for a certificate for user authentication, Firefox must be configured to have the user choose which certificate to present. Websites within DoD require user authentication for access, which increases security for DoD information. Access will be denied to the user if certificate management is not configured.
Checks: C-54982r807111_chk

Type "about:policies" in the browser address bar. If "security.default_personal_cert" is not displayed with a value of "Ask Every Time", this is a finding.

Fix: F-54936r807112_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox\ Policy Name: Preferences Policy State: Enabled Policy Value: { "security.default_personal_cert": { "Value": "Ask Every Time", "Status": "locked" } } macOS "plist" file: Add the following: <key>Preferences</key> <dict> <key>security.default_personal_cert</key> <dict> <key>Value</key> <string>Ask Every Time</string> <key>Status</key> <string>locked</string> </dict> </dict> Linux "policies.json" file: Add the following in the policies section: "Preferences": { "security.default_personal_cert": { "Value": "Ask Every Time", "Status": "locked" } }

b
Firefox must be configured to not automatically check for updated versions of installed search plugins.
CM-7 - Medium - CCI-000381 - V-251548 - SV-251548r807116_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
FFOX-00-000004
Vuln IDs
  • V-251548
Rule IDs
  • SV-251548r807116_rule
Updates must be controlled and installed from authorized and trusted servers. This setting overrides a number of other settings that may direct the application to access external URLs.
Checks: C-54983r807114_chk

Type "about:policies" in the browser address bar. If "browser.search.update" is not displayed with a value of "false", this is a finding.

Fix: F-54937r807115_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox\ Policy Name: Preferences Policy State: Enabled Policy Value: { "browser.search.update": { "Value": false, "Status": "locked" } } macOS "plist" file: Add the following: <key>Preferences</key> <dict> <key>browser.search.update</key> <dict> <key>Value</key> <false/> <key>Status</key> <string>locked</string> </dict> </dict> Linux "policies.json" file: Add the following in the policies section: "Preferences": { "browser.search.update": { "Value": false, "Status": "locked" } }

b
Firefox must be configured to not automatically update installed add-ons and plugins.
CM-7 - Medium - CCI-000381 - V-251549 - SV-251549r807119_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
FFOX-00-000005
Vuln IDs
  • V-251549
Rule IDs
  • SV-251549r807119_rule
Set this to false to disable checking for updated versions of the Extensions/Themes. Automatic updates from untrusted sites puts the enclave at risk of attack and may override security settings.
Checks: C-54984r807117_chk

Type "about:policies" in the browser window. If "ExtensionUpdate" is not displayed under Policy Name or the Policy Value is not "false", this is a finding.

Fix: F-54938r807118_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox\Extensions Policy Name: Extension Update Policy State: Disabled macOS "plist" file: Add the following: <key>ExtensionUpdate</key> <false/> Linux "policies.json" file: Add the following in the policies section: "ExtensionUpdate": false

b
Firefox must be configured to not automatically execute or download MIME types that are not authorized for auto-download.
SI-3 - Medium - CCI-001242 - V-251550 - SV-251550r807122_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
FFOX-00-000006
Vuln IDs
  • V-251550
Rule IDs
  • SV-251550r807122_rule
Some files can be downloaded or execute without user interaction. This setting ensures these files are not downloaded and executed.
Checks: C-54985r807120_chk

Type "about:preferences" in the browser address bar. Type "Applications" in the Find bar in the upper right. Determine if any of the following file extensions are listed: HTA, JSE, JS, MOCHA, SHS, VBE, VBS, SCT, WSC. If the entry exists and the "Action" is "Save File" or "Always Ask", this is not a finding. If an extension exists and the entry in the Action column is associated with an application that does/can execute the code, this is a finding.

Fix: F-54939r807121_fix

Remove any unauthorized extensions from the auto-download list.

b
Firefox must be configured to disable form fill assistance.
CM-7 - Medium - CCI-000381 - V-251551 - SV-251551r807125_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
FFOX-00-000007
Vuln IDs
  • V-251551
Rule IDs
  • SV-251551r807125_rule
To protect privacy and sensitive data, Firefox provides the ability to configure the program so that data entered into forms is not saved. This mitigates the risk of a website gleaning private information from prefilled information.
Checks: C-54986r807123_chk

Type "about:policies" in the browser window. If "DisableFormHistory" is not displayed under Policy Name or the Policy Value is not "true", this is a finding.

Fix: F-54940r807124_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox Policy Name: Disable Form History Policy State: Enabled macOS "plist" file: Add the following: <key>DisableFormHistory</key> <true/> Linux "policies.json" file: Add the following in the policies section: "DisableFormHistory": true

b
Firefox must be configured to not use a password store with or without a master password.
CM-7 - Medium - CCI-000381 - V-251552 - SV-251552r807128_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
FFOX-00-000008
Vuln IDs
  • V-251552
Rule IDs
  • SV-251552r807128_rule
Firefox can be set to store passwords for sites visited by the user. These individual passwords are stored in a file and can be protected by a master password. Autofill of the password can then be enabled when the site is visited. This feature could also be used to autofill the certificate PIN, which could lead to compromise of DoD information.
Checks: C-54987r807126_chk

Type "about:policies" in the browser window. If "PasswordManagerEnabled" is not displayed under Policy Name or the Policy Value is not "false", this is a finding.

Fix: F-54941r807127_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox Policy Name: Password Manager Policy State: Disabled macOS "plist" file: Add the following: <key>PasswordManager</key> <false/> Linux "policies.json" file: Add the following in the policies section: "PasswordManager": false

b
Firefox must be configured to block pop-up windows.
CM-7 - Medium - CCI-000381 - V-251553 - SV-251553r807131_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
FFOX-00-000009
Vuln IDs
  • V-251553
Rule IDs
  • SV-251553r807131_rule
Pop-up windows may be used to launch an attack within a new browser window with altered settings. This setting blocks pop-up windows created while the page is loading.
Checks: C-54988r807129_chk

Type "about:policies" in the browser address bar. If "PopupBlocking" is not displayed under Policy Name or the Policy Value is not "Default" "true", this is a finding.

Fix: F-54942r807130_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox\Popups Policy Name: Block pop-ups from websites Policy State: Enabled macOS "plist" file: Add the following: <key>PopupBlocking</key> <true/> Linux "policies.json" file: Add the following in the policies section: "PopupBlocking": true

b
Firefox must be configured to prevent JavaScript from moving or resizing windows.
CM-7 - Medium - CCI-000381 - V-251554 - SV-251554r807134_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
FFOX-00-000010
Vuln IDs
  • V-251554
Rule IDs
  • SV-251554r807134_rule
JavaScript can make changes to the browser's appearance. This activity can help disguise an attack taking place in a minimized background window. Configure the browser setting to prevent scripts on visited websites from moving and resizing browser windows.
Checks: C-54989r807132_chk

Type "about:policies" in the browser address bar. If "dom.disable_window_move_resize" is not displayed with a value of "true", this is a finding.

Fix: F-54943r807133_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox\ Policy Name: Preferences Policy State: Enabled Policy Value: { "dom.disable_window_move_resize": { "Value": true, "Status": "locked" } } macOS "plist" file: Add the following: <key>Preferences</key> <dict> <key>dom.disable_window_move_resize</key> <dict> <key>Value</key> <true/> <key>Status</key> <string>locked</string> </dict> </dict> Linux "policies.json" file: Add the following in the policies section: "Preferences": { "dom.disable_window_move_resize": { "Value": true, "Status": "locked" } }

b
Firefox must be configured to prevent JavaScript from raising or lowering windows.
CM-7 - Medium - CCI-000381 - V-251555 - SV-251555r807137_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
FFOX-00-000011
Vuln IDs
  • V-251555
Rule IDs
  • SV-251555r807137_rule
JavaScript can raise and lower browser windows to cause improper input. Configure the browser setting to prevent scripts on visited websites from raising and lowering browser windows.
Checks: C-54990r807135_chk

Type "about:policies" in the browser address bar. If "dom.disable_window_flip" is not displayed with a value of "true", this is a finding.

Fix: F-54944r807136_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox\ Policy Name: Preferences Policy State: Enabled Policy Value: { "dom.disable_window_flip": { "Value": true, "Status": "locked" } } macOS "plist" file: Add the following: <key>Preferences</key> <dict> <key>dom.disable_window_flip</key> <dict> <key>Value</key> <true/> <key>Status</key> <string>locked</string> </dict> </dict> Linux "policies.json" file: Add the following in the policies section: "Preferences": { "dom.disable_window_flip": { "Value": true, "Status": "locked" } }

b
Firefox must be configured to prevent JavaScript from disabling or replacing context menus.
CM-7 - Medium - CCI-000381 - V-251556 - SV-251556r807140_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
FFOX-00-000012
Vuln IDs
  • V-251556
Rule IDs
  • SV-251556r807140_rule
A website may execute JavaScript that can remove or replace context menus/pop-up menus. This can help disguise an attack. Set this preference to "false" so that web pages will not be able to affect the context menu event.
Checks: C-54991r807138_chk

Type "about:policies" in the browser address bar. If "dom.event.contextmenu.enabled" is not displayed with a value of "false", this is a finding.

Fix: F-54945r807139_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox\ Policy Name: Preferences Policy State: Enabled Policy Value: { "dom.event.contextmenu.enabled": { "Value": false, "Status": "locked" } } macOS "plist" file: Add the following: <key>Preferences</key> <dict> <key>dom.event.contextmenu.enabled</key> <dict> <key>Value</key> <false/> <key>Status</key> <string>locked</string> </dict> </dict> Linux "policies.json" file: Add the following in the policies section: "Preferences": { "dom.event.contextmenu.enabled": { "Value": false, "Status": "locked" } }

b
Firefox must be configured to disable the installation of extensions.
CM-7 - Medium - CCI-000381 - V-251557 - SV-251557r807143_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
FFOX-00-000013
Vuln IDs
  • V-251557
Rule IDs
  • SV-251557r807143_rule
A browser extension is a program that has been installed into the browser to add functionality. Where a plug-in interacts only with a web page and usually a third-party external application (e.g., Flash, Adobe Reader), an extension interacts with the browser program itself. Extensions are not embedded in web pages and must be downloaded and installed in order to work. Extensions allow browsers to avoid restrictions that apply to web pages. For example, an extension can be written to combine data from multiple domains and present it when a certain page is accessed, which can be considered cross-site scripting. If a browser is configured to allow unrestricted use of extensions, plug-ins can be loaded and installed from malicious sources and used on the browser.
Checks: C-54992r807141_chk

Type "about:policies" in the browser address bar. If "InstallAddonsPermission" is not displayed under Policy Name or the Policy Value is not "Default" "false", this is a finding.

Fix: F-54946r807142_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox\Addons Policy Name: Allow add-on installs from websites Policy State: Disabled macOS "plist" file: Add the following: <key>InstallAddonsPermission</key> <false/> Linux "policies.json" file: Add the following in the policies section: "InstallAddonsPermission": false

b
Background submission of information to Mozilla must be disabled.
CM-7 - Medium - CCI-000381 - V-251558 - SV-251558r807146_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
FFOX-00-000014
Vuln IDs
  • V-251558
Rule IDs
  • SV-251558r807146_rule
Firefox by default sends information about Firefox to Mozilla servers. There should be no background submission of technical and other information from DoD computers to Mozilla with portions posted publicly.
Checks: C-54993r807144_chk

Type "about:policies" in the browser window. If "DisableTelemetry" is not displayed under Policy Name or the Policy Value is not "true", this is a finding.

Fix: F-54947r807145_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox Policy Name: Disable Telemetry Policy State: Enabled macOS "plist" file: Add the following: <key>DisableTelemetry</key> <true/> Linux "policies.json" file: Add the following in the policies section: "DisableTelemetry": true

a
Firefox development tools must be disabled.
SI-11 - Low - CCI-001312 - V-251559 - SV-251559r807149_rule
RMF Control
SI-11
Severity
L
CCI
CCI-001312
Version
FFOX-00-000015
Vuln IDs
  • V-251559
Rule IDs
  • SV-251559r807149_rule
Information needed by an attacker to begin looking for possible vulnerabilities in a web browser includes any information about the web browser and plug-ins or modules being used. When debugging or trace information is enabled in a production web browser, information about the web browser, such as web browser type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any back ends being used for data storage may be displayed. Because this information may be placed in logs and general messages during normal operation of the web browser, an attacker does not have to cause an error condition to gain this information.
Checks: C-54994r807147_chk

Type "about:policies" in the browser window. If "DisableDeveloperTools" is not displayed under Policy Name or the Policy Value is not "true", this is a finding.

Fix: F-54948r807148_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox Policy Name: Disable Developer Tools Policy State: Enabled macOS "plist" file: Add the following: <key>DisableDeveloperTools</key> <true/> Linux "policies.json" file: Add the following in the policies section: "DisableDeveloperTools": true

b
Firefox must have the DoD root certificates installed.
IA-5 - Medium - CCI-000185 - V-251560 - SV-251560r807152_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000185
Version
FFOX-00-000016
Vuln IDs
  • V-251560
Rule IDs
  • SV-251560r807152_rule
The DoD root certificates will ensure that the trust chain is established for server certificates issued from the DoD Certificate Authority (CA).
Checks: C-54995r807150_chk

Type "about:preferences#privacy" in the browser window. Scroll down to the bottom and select "View Certificates..." In the Certificate Manager window, select the "Authorities" tab. Scroll through the Certificate Name list to the U.S. Government heading. Look for the entries for DoD Root CA 2, DoD Root CA 3, and DoD Root CA 4. If there are entries for DoD Root CA 2, DoD Root CA 3, and DoD Root CA 4, select them individually. Click the "View" button. Verify the publishing organization is "US Government". If there are no entries for the DoD Root CA 2, DoD Root CA 3, and DoD Root CA 4, this is a finding. Note: In a Windows environment, use of policy setting "security.enterprise_roots.enabled=true" will point Firefox to the Windows Trusted Root Certification Authority Store. This is not a finding. It may also be set via the policy Certificates &gt;&gt; ImportEnterpriseRoots, which can be verified via "about:policies".

Fix: F-54949r807151_fix

Install the DoD root certificates. On Windows, import certificates from the operating system by using Certificates >> Import Enterprise Roots (Certificates) via policy or Group Policy Object (GPO).

b
Firefox must be configured to not delete data upon shutdown.
AC-24 - Medium - CCI-002355 - V-251561 - SV-251561r807155_rule
RMF Control
AC-24
Severity
M
CCI
CCI-002355
Version
FFOX-00-000017
Vuln IDs
  • V-251561
Rule IDs
  • SV-251561r807155_rule
For diagnostic purposes, data must remain behind when the browser is closed. This is required to meet non-repudiation controls.
Checks: C-54996r807153_chk

Type "about:policies" in the browser address bar. If "SanitizeOnShutdown" is not displayed under Policy Name or the Policy Value does not have {"Cache":false,"Cookies":false,"Downloads":false,"FormData":false,"Sessions":false,"History":false,"OfflineApps":false,"SiteSettings":false,"Locked":true}, this is a finding.

Fix: F-54950r807154_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox\Clear data when browser is closed Policy Name: Cache, Cookies, Download History, Form & Search History, Browsing History, Active Logins, Site Preferences, Offline Website Data Policy State: Disabled Policy Name: Locked Policy State: Enabled macOS "plist" file: Add the following: <key>SanitizeOnShutdown</key> <dict> <key>Cache</key> <false/> <key>Cookies</key> <false/> <key>Downloads</key> <false/> <key>FormData</key> <false/> <key>History</key> <false/> <key>Sessions</key> <false/> <key>SiteSettings</key> <false/> <key>OfflineApps</key> <false/> <key>Locked</key> <true/> </dict> Linux "policies.json" file: Add the following in the policies section: "SanitizeOnShutdown": { "Cache": false, "Cookies": false, "Downloads": false, "FormData": false, "History": false, "Sessions": false, "SiteSettings": false, "OfflineApps": false, "Locked": true }

b
Firefox must prevent the user from quickly deleting data.
AC-24 - Medium - CCI-002355 - V-251562 - SV-251562r807158_rule
RMF Control
AC-24
Severity
M
CCI
CCI-002355
Version
FFOX-00-000018
Vuln IDs
  • V-251562
Rule IDs
  • SV-251562r807158_rule
There should not be an option for a user to "forget" work they have done. This is required to meet non-repudiation controls.
Checks: C-54997r807156_chk

Type "about:policies" in the browser address bar. If "DisableForgetButton" is not displayed under Policy Name or the Policy Value is not "true", this is a finding.

Fix: F-54951r807157_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox Policy Name: Disable Forget Button Policy State: Enabled macOS "plist" file: Add the following: <key>DisableForgetButton</key> <true/> Linux "policies.json" file: Add the following in the policies section: "DisableForgetButton": true

b
Firefox private browsing must be disabled.
CM-7 - Medium - CCI-000381 - V-251563 - SV-251563r807161_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
FFOX-00-000019
Vuln IDs
  • V-251563
Rule IDs
  • SV-251563r807161_rule
Private browsing allows the user to browse the internet without recording their browsing history/activity. From a forensics perspective, this is unacceptable. Best practice requires that browser history is retained.
Checks: C-54998r807159_chk

Type "about:policies" in the browser window. If "DisablePrivateBrowsing" is not displayed under Policy Name or the Policy Value is not "true", this is a finding.

Fix: F-54952r807160_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox Policy Name: Disable Private Browsing Policy State: Enabled macOS "plist" file: Add the following: <key>DisablePrivateBrowsing</key> <true/> Linux "policies.json" file: Add the following in the policies section: "DisablePrivateBrowsing": true

b
Firefox search suggestions must be disabled.
CM-7 - Medium - CCI-000381 - V-251564 - SV-251564r807164_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
FFOX-00-000020
Vuln IDs
  • V-251564
Rule IDs
  • SV-251564r807164_rule
Search suggestions must be disabled as this could lead to searches being conducted that were never intended to be made.
Checks: C-54999r807162_chk

Type "about:policies" in the browser window. If "SearchSuggestEnabled" is not displayed under Policy Name or the Policy Value is not "false", this is a finding.

Fix: F-54953r807163_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox\Search Policy Name: Search Suggestions Policy State: Disabled macOS "plist" file: Add the following: <key>SearchSuggestEnabled</key> <false/> Linux "policies.json" file: Add the following in the policies section: "SearchSuggestEnabled": false

a
Firefox autoplay must be disabled.
CM-7 - Low - CCI-000381 - V-251565 - SV-251565r807167_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
FFOX-00-000021
Vuln IDs
  • V-251565
Rule IDs
  • SV-251565r807167_rule
Autoplay allows the user to control whether videos can play automatically (without user consent) with audio content. The user must be able to select content that is run within the browser window.
Checks: C-55000r807165_chk

Type "about:policies" in the browser address bar. If "Permissions-&gt;Autoplay" is not displayed under Policy Name or the Policy Value is not "block-audio-video" with a value of "true", this is a finding.

Fix: F-54954r807166_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox\Permissions\Autoplay Policy Name: Default autoplay level Policy State: Enabled Policy Value: Block Audio and Video macOS "plist" file: Add the following: <key>Permissions</key> <dict> <key>Autoplay</key> <dict> <string>block-audio-video</string> </dict> </dict> Linux "policies.json" file: Add the following in the policies section: "Permissions": { "Autoplay": { "Default": "block-audio-video" } }

b
Firefox network prediction must be disabled.
CM-7 - Medium - CCI-000381 - V-251566 - SV-251566r807170_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
FFOX-00-000022
Vuln IDs
  • V-251566
Rule IDs
  • SV-251566r807170_rule
If network prediction is enabled, requests to URLs are made without user consent. The browser should always make a direct DNS request without prefetching occurring.
Checks: C-55001r807168_chk

Type "about:policies" in the browser window. If "NetworkPrediction" is not displayed under Policy Name or the Policy Value is not "false", this is a finding.

Fix: F-54955r807169_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox Policy Name: Network Prediction Policy State: Disabled macOS "plist" file: Add the following: <key>NetworkPrediction</key> <false/> Linux "policies.json" file: Add the following in the policies section: "NetworkPrediction": false

b
Firefox fingerprinting protection must be enabled.
CM-7 - Medium - CCI-000381 - V-251567 - SV-251567r807173_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
FFOX-00-000023
Vuln IDs
  • V-251567
Rule IDs
  • SV-251567r807173_rule
The Content Blocking/Tracking Protection feature stops Firefox from loading content from malicious sites. The content might be a script or an image, for example. If a site is on one of the tracker lists that Firefox is set to use, the fingerprinting script (or other tracking script/image) will not be loaded from that site. Fingerprinting scripts collect information about browser and device configuration, such as operating system, screen resolution, and other settings. By compiling these pieces of data, fingerprinters create a unique profile that can be used to track the user around the web.
Checks: C-55002r807171_chk

Type "about:policies" in the browser address bar. If "EnableTrackingProtection" is not displayed under Policy Name or the Policy Value is not "Fingerprinting" with a value of "true", this is a finding.

Fix: F-54956r807172_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox\Tracking Protection Policy Name: Fingerprinting Policy State: Enabled macOS "plist" file: Add the following: <key>EnableTrackingProtection</key> <dict> <key>Fingerprinting</key> <true/> </dict> Linux "policies.json" file: Add the following in the policies section: "EnableTrackingProtection": { "Fingerprinting": true }

b
Firefox cryptomining protection must be enabled.
CM-7 - Medium - CCI-000381 - V-251568 - SV-251568r807176_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
FFOX-00-000024
Vuln IDs
  • V-251568
Rule IDs
  • SV-251568r807176_rule
The Content Blocking/Tracking Protection feature stops Firefox from loading content from malicious sites. The content might be a script or an image, for example. If a site is on one of the tracker lists that Firefox is set to use, the fingerprinting script (or other tracking script/image) will not be loaded from that site. Cryptomining scripts use a computer's central processing unit to invisibly mine cryptocurrency.
Checks: C-55003r807174_chk

Type "about:policies" in the browser address bar. If "EnableTrackingProtection" is not displayed under Policy Name or the Policy Value is not "Cryptomining" with a value of "true", this is a finding.

Fix: F-54957r807175_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox\Tracking Protection Policy Name: Cryptomining Policy State: Enabled macOS "plist" file: Add the following: <key>EnableTrackingProtection</key> <dict> <key>Cryptomining</key> <true/> </dict> Linux "policies.json" file: Add the following in the policies section: "EnableTrackingProtection": { "Cryptomining": true }

b
Firefox Enhanced Tracking Protection must be enabled.
CM-7 - Medium - CCI-000381 - V-251569 - SV-251569r807179_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
FFOX-00-000025
Vuln IDs
  • V-251569
Rule IDs
  • SV-251569r807179_rule
Tracking generally refers to content, cookies, or scripts that can collect browsing data across multiple sites. It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include but are not limited to advertising software or browser plug-ins that are not related to requirements or provide a wide array of functionality not required for every mission but that cannot be disabled.
Checks: C-55004r807177_chk

Type "about:policies" in the browser address bar. If "browser.contentblocking.category" is not displayed with a value of "strict", this is a finding.

Fix: F-54958r807178_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox\ Policy Name: Preferences Policy State: Enabled Policy Value: { "browser.contentblocking.category": { "Value": "strict", "Status": "locked" } } macOS "plist" file: Add the following: <key>Preferences</key> <dict> <key>browser.contentblocking.category</key> <dict> <key>Value</key> <string>strict</string> <key>Status</key> <string>locked</string> </dict> </dict> Linux "policies.json" file: Add the following in the policies section: "Preferences": { "browser.contentblocking.category": { "Value": "strict", "Status": "locked" } }

b
Firefox extension recommendations must be disabled.
CM-7 - Medium - CCI-000381 - V-251570 - SV-251570r807182_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
FFOX-00-000026
Vuln IDs
  • V-251570
Rule IDs
  • SV-251570r807182_rule
The Recommended Extensions program makes it easier for users to discover extensions that have been reviewed for security, functionality, and user experience. Allowed extensions are to be centrally managed.
Checks: C-55005r807180_chk

Type "about:policies" in the browser address bar. If "extensions.htmlaboutaddons.recommendations.enabled" is not displayed with a value of "false", this is a finding.

Fix: F-54959r807181_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox\ Policy Name: Preferences Policy State: Enabled Policy Value: { "extensions.htmlaboutaddons.recommendations.enabled": { "Value": false, "Status": "locked" } } macOS "plist" file: Add the following: <key>Preferences</key> <dict> <key>extensions.htmlaboutaddons.recommendations.enabled</key> <dict> <key>Value</key> <false/> <key>Status</key> <string>locked</string> </dict> </dict> Linux "policies.json" file: Add the following in the policies section: "Preferences": { "extensions.htmlaboutaddons.recommendations.enabled": { "Value": false, "Status": "locked" } }+I420

b
Firefox deprecated ciphers must be disabled.
CM-7 - Medium - CCI-000381 - V-251571 - SV-251571r807185_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
FFOX-00-000027
Vuln IDs
  • V-251571
Rule IDs
  • SV-251571r807185_rule
A weak cipher is defined as an encryption/decryption algorithm that uses a key of insufficient length. Using an insufficient length for a key in an encryption/decryption algorithm opens up the possibility (or probability) that the encryption scheme could be broken.
Checks: C-55006r807183_chk

Type "about:policies" in the browser address bar. If "DisabledCiphers" is not displayed under Policy Name or the Policy Value is not "TLS_RSA_WITH_3DES_EDE_CBC_SHA" with a value of "false", this is a finding.

Fix: F-54960r807184_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox\Disabled Ciphers Policy Name: TLS_RSA_WITH_3DES_EDE_CBC_SHA Update Policy State: Disabled macOS "plist" file: Add the following: <key>DisabledCiphers</key> <dict> <key>TLS_RSA_WITH_3DES_EDE_CBC_SHA</key> <false/> </dict> Linux "policies.json" file: Add the following in the policies section: "DisabledCiphers": { "TLS_RSA_WITH_3DES_EDE_CBC_SHA": false }

b
Firefox must not recommend extensions as the user is using the browser.
CM-7 - Medium - CCI-000381 - V-251572 - SV-251572r807188_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
FFOX-00-000028
Vuln IDs
  • V-251572
Rule IDs
  • SV-251572r807188_rule
The Recommended Extensions program recommends extensions to users as they surf the web. The user must not be encouraged to install extensions from the websites they visit. Allowed extensions are to be centrally managed.
Checks: C-55007r807186_chk

Type "about:policies" in the browser address bar. If "UserMessaging" is not displayed under Policy Name or the Policy Value is not "ExtensionRecommendations" with a value of "false", this is a finding.

Fix: F-54961r807187_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox\User Messaging Policy Name: Extension Recommendations Policy State: Disabled macOS "plist" file: Add the following: <key>UserMessaging</key> <dict> <key>ExtensionRecommendations</key> <false/> </dict> Linux "policies.json" file: Add the following in the policies section: "UserMessaging": { "ExtensionRecommendations": false }

b
The Firefox New Tab page must not show top sites.
CM-7 - Medium - CCI-000381 - V-251573 - SV-251573r807191_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
FFOX-00-000029
Vuln IDs
  • V-251573
Rule IDs
  • SV-251573r807191_rule
The New Tab page by default shows a list of built-in top sites, as well as the top sites the user has visited. It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include but are not limited to advertising software or browser plug-ins that are not related to requirements or provide a wide array of functionality not required for every mission but that cannot be disabled. The new tab page must not actively show user activity.
Checks: C-55008r807189_chk

Type "about:policies" in the browser address bar. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "TopSites" with a value of "false", this is a finding.

Fix: F-54962r807190_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox Policy Name: Customize Firefox Home Policy State: Enabled Policy Value: Uncheck Top Sites macOS "plist" file: Add the following: <key>FirefoxHome</key> <dict> <key>TopSites</key> <false/> </dict> Linux "policies.json" file: Add the following in the policies section: "FirefoxHome": { "TopSites": false }

b
The Firefox New Tab page must not show recommended stories.
CM-7 - Medium - CCI-000381 - V-251574 - SV-251574r807194_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
FFOX-00-000030
Vuln IDs
  • V-251574
Rule IDs
  • SV-251574r807194_rule
The New Tab page by default shows web pages recommended by a third party (Pocket). The new tab page must not show unrelated/unnecessary content to the user. It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include but are not limited to advertising software or browser plug-ins that are not related to requirements or provide a wide array of functionality not required for every mission but that cannot be disabled.
Checks: C-55009r807192_chk

Type "about:policies" in the browser address bar. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Pocket" with a value of "false", this is a finding.

Fix: F-54963r807193_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox Policy Name: Customize Firefox Home Policy State: Enabled Policy Value: Uncheck Recommended by Pocket macOS "plist" file: Add the following: <key>FirefoxHome</key> <dict> <key>Pocket</key> <false/> </dict> Linux "policies.json" file: Add the following in the policies section: "FirefoxHome": { "Pocket": false }

b
The Firefox New Tab page must not show highlights.
CM-7 - Medium - CCI-000381 - V-251575 - SV-251575r807197_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
FFOX-00-000031
Vuln IDs
  • V-251575
Rule IDs
  • SV-251575r807197_rule
The New Tab page by default shows the sites the user visits the most. The new tab page must not actively show user activity. It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include but are not limited to advertising software or browser plug-ins that are not related to requirements or provide a wide array of functionality not required for every mission but that cannot be disabled.
Checks: C-55010r807195_chk

Type "about:policies" in the browser address bar. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Highlights" with a value of "false", this is a finding.

Fix: F-54964r807196_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox Policy Name: Customize Firefox Home Policy State: Enabled Policy Value: Uncheck Download History macOS "plist" file: Add the following: <key>FirefoxHome</key> <dict> <key>Highlights</key> <false/> </dict> Linux "policies.json" file: Add the following in the policies section: "FirefoxHome": { "Highlights": false }

b
The Firefox New Tab page must not show snippets.
CM-7 - Medium - CCI-000381 - V-251576 - SV-251576r807200_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
FFOX-00-000032
Vuln IDs
  • V-251576
Rule IDs
  • SV-251576r807200_rule
The New Tab page by default shows messages from Mozilla. The new tab page must not show unnecessary messages from Mozilla. It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include but are not limited to advertising software or browser plug-ins that are not related to requirements or provide a wide array of functionality not required for every mission but that cannot be disabled.
Checks: C-55011r807198_chk

Type "about:policies" in the browser address bar. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Snippets" with a value of "false", this is a finding.

Fix: F-54965r807199_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox Policy Name: Customize Firefox Home Policy State: Enabled Policy Value: Uncheck Snippets macOS "plist" file: Add the following: <key>FirefoxHome</key> <dict> <key>Snippets</key> <false/> </dict> Linux "policies.json" file: Add the following in the policies section: "FirefoxHome": { "Snippets": false }

b
Firefox must be configured so that DNS over HTTPS is disabled.
CM-7 - Medium - CCI-000381 - V-251577 - SV-251577r807203_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
FFOX-00-000033
Vuln IDs
  • V-251577
Rule IDs
  • SV-251577r807203_rule
DNS over HTTPS has generally not been adopted in the DoD. DNS is tightly controlled. It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include, but are not limited to, advertising software or browser plug-ins not related to requirements or providing a wide array of functionality not required for every mission, but cannot be disabled.
Checks: C-55012r807201_chk

Type "about:policies" in the browser address bar. If "DNSOverHTTPS" is not displayed under Policy Name or the Policy Value does not have "Enabled" with a value of "false", this is a finding.

Fix: F-54966r807202_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox\DNS Over HTTPS Policy Name: Enabled Policy State: Disabled macOS "plist" file: <key>DNSOverHTTPS</key> <dict> <key>Enabled</key> <false/> Linux "policies.json" file: Add the following in the policies section: "DNSOverHTTPS": {"Enabled": false}

b
Firefox accounts must be disabled.
CM-7 - Medium - CCI-000381 - V-251578 - SV-251578r807206_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
FFOX-00-000034
Vuln IDs
  • V-251578
Rule IDs
  • SV-251578r807206_rule
Disable Firefox Accounts integration (Sync). It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include but are not limited to advertising software or browser plug-ins that are not related to requirements or provide a wide array of functionality not required for every mission but that cannot be disabled.
Checks: C-55013r807204_chk

Type "about:policies" in the browser address bar. If "DisableFirefoxAccounts" is not displayed under Policy Name or the Policy Value is not "true", this is a finding.

Fix: F-54967r807205_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox\ Policy Name: Disable Firefox Accounts Policy State: Enabled macOS "plist" file: <key>DisableFirefoxAccounts</key> <true/> Linux "policies.json" file: Add the following in the policies section: "DisableFirefoxAccounts": true

b
Firefox updates must not run in the background.
CM-7 - Medium - CCI-000381 - V-251579 - SV-251579r807209_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
FFOX-00-000035
Vuln IDs
  • V-251579
Rule IDs
  • SV-251579r807209_rule
It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include but are not limited to advertising software or browser plug-ins that are not related to requirements or provide a wide array of functionality not required for every mission but that cannot be disabled.
Checks: C-55014r807207_chk

Type "about:policies" in the browser address bar. If "BackgroundAppUpdate" is not displayed under Policy Name or the Policy Value is not "false", this is a finding. Note: This is a Windows-only control. For other operating systems, this requirement is Not Applicable.

Fix: F-54968r807208_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox\ Policy Name: Background Updater Policy State: Disabled

b
Firefox feedback reporting must be disabled.
CM-7 - Medium - CCI-000381 - V-251580 - SV-251580r809561_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
FFOX-00-000036
Vuln IDs
  • V-251580
Rule IDs
  • SV-251580r809561_rule
Disable the menus for reporting sites (Submit Feedback, Report Deceptive Site). It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include but are not limited to advertising software or browser plug-ins that are not related to requirements or provide a wide array of functionality not required for every mission but that cannot be disabled.
Checks: C-55015r807210_chk

Type "about:policies" in the browser address bar. If "DisableFeedbackCommands" is not displayed under Policy Name or the Policy Value is not "true", this is a finding.

Fix: F-54969r807211_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox\ Policy Name: Disable Feedback Commands Policy State: Enabled macOS "plist" file: <key>DisableFeedbackCommands</key> <true/> Linux "policies.json" file: Add the following in the policies section: "DisableFeedbackCommands": true

b
Firefox encrypted media extensions must be disabled.
CM-7 - Medium - CCI-000381 - V-251581 - SV-251581r807215_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
FFOX-00-000037
Vuln IDs
  • V-251581
Rule IDs
  • SV-251581r807215_rule
Enable or disable Encrypted Media Extensions and optionally lock it. If "Enabled" is set to "false", Firefox does not download encrypted media extensions (such as Widevine) unless the user consents to installing them. If "Locked" is set to "true" and "Enabled" is set to "false", Firefox will not download encrypted media extensions (such as Widevine) or ask the user to install them. It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include but are not limited to advertising software or browser plug-ins that are not related to requirements or provide a wide array of functionality not required for every mission but that cannot be disabled.
Checks: C-55016r807213_chk

Type "about:policies" in the browser address bar. If "EncryptedMediaExtensions" is not displayed under Policy Name or the Policy Value does not have "Enabled" set to "false" or the Policy Value does not have "Locked" set to "true", this is a finding.

Fix: F-54970r807214_fix

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox\Encrypted Media Extensions Policy Name: Enable Encrypted Media Extensions Policy State: Disabled Policy Name: Lock Encrypted Media Extensions Policy State: Enabled macOS "plist" file: <key>EncryptedMediaExtensions</key> <dict> <key>Enabled</key> <false/> <key>Locked</key> <true/> Linux "policies.json" file: Add the following in the policies section: "EncryptedMediaExtensions": { "Enabled": false, "Locked": true }