The Cloud Consultancy Europe Ltd.
+44 (0) 203 637 6667 [email protected]

Mozilla this week released Firefox 72 to the stable channel with advanced privacy protections that involve the blocking of fingerprinting scripts by default.

Long focused on protecting users’ privacy when browsing the Internet, Mozilla launched Enhanced Tracking Protection (ETP) last year, which keeps users safe from cross-site tracking.

Last week, it also announced that it would let users delete telemetry data, a reaction to the California Consumer Privacy Act (CCPA).

The release of Firefox 72 this week marked another milestone in the organization’s effort toward a more private browsing experience, by expanding the protection to also include browser fingerprinting.

Scripts that have been designed for fingerprinting collect unique characteristics of a user’s browser and device, so as to leverage the information to identify that user. Collected details include screen size, browser and operating system, installed fonts, and other device properties.

The collected information is then used to differentiate one user’s browser from another, which allows companies to track users for long periods of time, even after they cleared browsing data.

Both standards bodies and browser vendors agree that fingerprinting is harmful, but its use has increased across the web over the past ten years, Mozilla says.

Protecting users from fingerprinting without breaking websites, the organization explains, involves blocking parties that participate in fingerprinting, and modifying or removing APIs used for fingerprinting.

With the release of Firefox 72, the organization is now blocking third-party requests to companies known to engage in fingerprinting.

Thus, these companies should no longer be able to gather device details using JavaScript and will not receive information revealed through network requests either — such as the user’s IP address or the user agent header.

The protection is provided in partnership with Disconnect, which maintains a list of companies known for cross-site tracking and a list of those that fingerprint users. Firefox now blocks all parties at the intersection of these two classifications.

Mozilla also adapted measurement techniques from previous academic research to help find new fingerprinting domains, and explains that Disconnect performs a rigorous evaluation of each potential domain that is added to the list.

Following this first step, Mozilla plans on expanding the fingerprinting protection through both script blocking and API-level protections.

“We will continue to monitor fingerprinting on the web, and will work with Disconnect to build out the set of domains blocked by Firefox. Expect to hear more updates from us as we continue to strengthen the protections provided by ETP,” Mozilla concludes.

In addition to this privacy enhancement, Firefox 72 includes patches for 11 vulnerabilities, including 5 rated high severity, 5 medium risk, and one low severity.

The high-severity bugs include a memory corruption in parent processes during new process initialization on Windows, bypass of @namespace CSS sanitization during pasting, type confusion in XPCVariant.cpp, and memory safety bugs in both Firefox 71 and Firefox ESR 68.3.

Medium-severity flaws patched this month include the Windows keyboard in Private Browsing mode retaining word suggestions; Python files could be inadvertently executed upon opening a download; Content Security Policy not applied to XSL stylesheets applied to XML documents; heap address disclosure in parent processes during content process initialization on Windows; and CSS sanitization does not escape HTML tags.

The low-severity bug patched in this release could result in an invalid state transition in the TLS State Machine, as the client may negotiate a lower protocol than TLS 1.3 after a HelloRetryRequest has been sent.

Source: SecurityWeek