Firefox must be configured to not use a password store with or without a master password.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-251552 | FFOX-00-000008 | SV-251552r960963_rule | CCI-000381 | medium |
| Description | ||||
| Firefox can be set to store passwords for sites visited by the user. These individual passwords are stored in a file and can be protected by a master password. Autofill of the password can then be enabled when the site is visited. This feature could also be used to autofill the certificate PIN, which could lead to compromise of DoD information. | ||||
| STIG | Date | |||
| Mozilla Firefox Security Technical Implementation Guide | 2025-02-11 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-7
1.00
- DISA · 6 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.4.6
1.00
- DISA · 6 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000381
1.00
- DISA · 6 · disa_xccdf · related
Details
Check Text (C-251552r960963_chk)
Type "about:policies" in the browser window.
If "PasswordManagerEnabled" is not displayed under Policy Name or the Policy Value is not "false", this is a finding.
Fix Text (F-54941r822410_fix)
Windows group policy:
1. Open the group policy editor tool with "gpedit.msc".
2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox
Policy Name: PasswordManager
Policy State: Disabled
macOS "plist" file:
Add the following:
<key>PasswordManagerEnabled</key>
<false/>
Linux "policies.json" file:
Add the following in the policies section:
"PasswordManagerEnabled": false