Firefox news: Fresh releases, Firefox Quantum for Enterprise, privacy protections
Firefox 59 (for desktop and mobile) and Firefox ESR 52.7 have been released to the public.
Privacy enhancements and security fixes
The former sports some performance enhancements that should lead to faster load times, new search engine options for German and French users, and a change in Firefox Private Browsing Mode to prevent cross-site tracking.
“When you click a link in your browser to navigate to a new site, the new site you visit receives the exact address of the site you came from through the so-called ‘Referrer value’,” Mozilla explains.
Not only can these referrers show from which site users came from, but they can also contain sensitive information about the user.
Through this change, referrer values will be stripped of path and query string data, and will show only the Internet domain from which the user visited the site (e.g., https://www.reddit.com/ instead of .)
The new releases also come with a bucketload of security fixes, including those for memory safety bugs, some of which could, with enough effort, be exploited to run arbitrary code.
Firefox Quantum for Enterprise
Mozilla is releasing on Wednesday (today) the beta version of Firefox Quantum for Enterprise, which will offer enterprise administrative controls (i.e., a “policy engine”) for the browser.
The idea behind the offering is to make it easy for enterprise administrators to deploy a pre-configured installation of the new Firefox to employees’ Windows, Mac, and Linux PCs.
“IT professionals can configure and deploy Firefox Quantum for Enterprise through familiar tools,” Mozilla explained.
“Windows administrators can quickly set policies using Windows Group Policy. Administrators can then deploy the managed Firefox Quantum browser to users’ Windows PCs. For Mac, Linux, and Windows, administrators can simply include a JSON configuration file inside of Firefox’s installation directory.”
More information about the deployment process can be found here.
Announced privacy protection changes
Mozilla has recently announced that starting with Firefox 62, support for device orientation, motion, proximity and ambient light events will be deprecated in an effort to protect user privacy.
“Those sensor APIs make web apps more like native mobile apps, but given the powerful nature, they can be misused for browser fingerprinting or same-origin policy violations,” they noted.
The (now obsolete) APIs for proximity and ambient light will be disabled by default, but users will be able to enable them by typing about:config in the browser’s URL field, finding the device.sensors.enabled value and setting it to false.
The change is welcomed by security and privacy researcher Lukasz Olejnik, who has been pointing out the ways these APIs could be misused to steal sensitive browser data that could act as indentifiers.
“Firefox is disabling devicelight, deviceproximity, userproximity events, citing privacy concerns. Access to these APIs will be behind a user-controlled flag, which is good,” he commented.
“I am naturally happy with that decision – this is definitely a step in the right direction. However, I also hope that these flags will also encompass the modern mechanisms based on the Sensors API: the actual Ambient Light Sensor API or Proximity Sensor API.”