STIGQter STIGQter: STIG Summary: Mozilla FireFox Security Technical Implementation Guide Version: 4 Release: 28 Benchmark Date: 24 Jan 2020: Firefox is not configured to prompt a user before downloading and opening required file types.

DISA Rule

SV-16711r4_rule

Vulnerability Number

V-15772

Group Title

DTBF110 - FireFox Preferences – Open Confirmation

Rule Version

DTBF110

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Ensure the following extensions are not automatically opened by Firefox without user confirmation. Do not use plugins and add-ons to open these files.
Use the "plugin.disable_full_page_plugin_for_types" preference to set and lock the following extensions so that an external application, rather than an add-on or plugin, will not be used:
PDF, FDF, XFDF, LSL, LSO, LSS, IQY, RQY, XLK, XLS, XLT, POT, PPS, PPT, DOS, DOT, WKS, BAT, PS, EPS, WCH, WCM, WB1, WB3, RTF, DOC, MDB, MDE, WBK, WB1, WCH, WCM, AD, ADP.

Check Contents

Open a browser window, type "about:config" in the address bar.
Criteria: If the “plugin.disable_full_page_plugin_for_types” value is not set to include the following external extensions and not locked, this is a finding:
PDF, FDF, XFDF, LSL, LSO, LSS, IQY, RQY, XLK, XLS, XLT, POT, PPS, PPT, DOS, DOT, WKS, BAT, PS, EPS, WCH, WCM, WB1, WB3, RTF, DOC, MDB, MDE, WBK, WB1, WCH, WCM, AD, ADP.

Vulnerability Number

V-15772

Documentable

False

Rule Version

DTBF110

Severity Override Guidance

Open a browser window, type "about:config" in the address bar.
Criteria: If the “plugin.disable_full_page_plugin_for_types” value is not set to include the following external extensions and not locked, this is a finding:
PDF, FDF, XFDF, LSL, LSO, LSS, IQY, RQY, XLK, XLS, XLT, POT, PPS, PPT, DOS, DOT, WKS, BAT, PS, EPS, WCH, WCM, WB1, WB3, RTF, DOC, MDB, MDE, WBK, WB1, WCH, WCM, AD, ADP.

Check Content Reference

M

Responsibility

System Administrator

Target Key

205

Comments