Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Firefox 72 Blocks Fingerprinting Scripts by Default

Mozilla this week released Firefox 72 to the stable channel with advanced privacy protections that involve the blocking of fingerprinting scripts by default.

Mozilla this week released Firefox 72 to the stable channel with advanced privacy protections that involve the blocking of fingerprinting scripts by default.

Long focused on protecting users’ privacy when browsing the Internet, Mozilla launched Enhanced Tracking Protection (ETP) last year, which keeps users safe from cross-site tracking.

Last week, it also announced that it would let users delete telemetry data, a reaction to the California Consumer Privacy Act (CCPA).

The release of Firefox 72 this week marked another milestone in the organization’s effort toward a more private browsing experience, by expanding the protection to also include browser fingerprinting.

Scripts that have been designed for fingerprinting collect unique characteristics of a user’s browser and device, so as to leverage the information to identify that user. Collected details include screen size, browser and operating system, installed fonts, and other device properties.

The collected information is then used to differentiate one user’s browser from another, which allows companies to track users for long periods of time, even after they cleared browsing data.

Both standards bodies and browser vendors agree that fingerprinting is harmful, but its use has increased across the web over the past ten years, Mozilla says.

Advertisement. Scroll to continue reading.

Protecting users from fingerprinting without breaking websites, the organization explains, involves blocking parties that participate in fingerprinting, and modifying or removing APIs used for fingerprinting.

With the release of Firefox 72, the organization is now blocking third-party requests to companies known to engage in fingerprinting.

Thus, these companies should no longer be able to gather device details using JavaScript and will not receive information revealed through network requests either — such as the user’s IP address or the user agent header.

The protection is provided in partnership with Disconnect, which maintains a list of companies known for cross-site tracking and a list of those that fingerprint users. Firefox now blocks all parties at the intersection of these two classifications.

Mozilla also adapted measurement techniques from previous academic research to help find new fingerprinting domains, and explains that Disconnect performs a rigorous evaluation of each potential domain that is added to the list.

Following this first step, Mozilla plans on expanding the fingerprinting protection through both script blocking and API-level protections.

“We will continue to monitor fingerprinting on the web, and will work with Disconnect to build out the set of domains blocked by Firefox. Expect to hear more updates from us as we continue to strengthen the protections provided by ETP,” Mozilla concludes.

In addition to this privacy enhancement, Firefox 72 includes patches for 11 vulnerabilities, including 5 rated high severity, 5 medium risk, and one low severity.

The high-severity bugs include a memory corruption in parent processes during new process initialization on Windows, bypass of @namespace CSS sanitization during pasting, type confusion in XPCVariant.cpp, and memory safety bugs in both Firefox 71 and Firefox ESR 68.3.

Medium-severity flaws patched this month include the Windows keyboard in Private Browsing mode retaining word suggestions; Python files could be inadvertently executed upon opening a download; Content Security Policy not applied to XSL stylesheets applied to XML documents; heap address disclosure in parent processes during content process initialization on Windows; and CSS sanitization does not escape HTML tags.

The low-severity bug patched in this release could result in an invalid state transition in the TLS State Machine, as the client may negotiate a lower protocol than TLS 1.3 after a HelloRetryRequest has been sent.

Related: Firefox 72 Will Let Users Delete Telemetry Data

Related: Mozilla Hardens Firefox Against Injection Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...


Spanish Court agreed to extradite Joseph James O’Connor to he U.S., who allegedly took part in the July 2020 hacking of Twitter accounts of...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.