FireFox is configured to use a password store with or without a master password.

From Mozilla Firefox Security Technical Implementation Guide

Part of DTBF160 - FireFox Preferences – Password store

Associated with: CCI-000381

SV-16715r2_rule FireFox is configured to use a password store with or without a master password.

Vulnerability discussion

Firefox can be set to store passwords for sites visited by the user. These individual passwords are stored in a file and can be protected by a master password. Autofill of the password can then be enabled when the site is visited. This feature could also be used to autofill the certificate pin which could lead to compromise of DoD information.

Check content

Type "about:config" in the browser window. Verify that the preference name “signon.rememberSignons" is set and locked to “false”. Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.

Fix text

Ensure the preference “signon.rememberSignons“ is set and locked to the value of “false”.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer