Mozilla this week refreshed Firefox by releasing version 88, adding yet another anti-tracking defense, this one set up to stymie abuses of the JavaScript variable window.name.
The company’s developers also patched 13 vulnerabilities, five of them labeled “High,” Firefox’s second-most-serious label. “We presume that with enough effort this could have been exploited to run arbitrary code,” Mozilla noted in three of the five. None were marked “Critical.”
Firefox 88 can be downloaded for Windows, macOS, and Linux from Mozilla’s site. Because Firefox updates in the background, most users can relaunch the browser to install the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page or pop-up shows that the browser is already up to date or displays the upgrade process.
Mozilla upgrades Firefox every four weeks; the last refresh was on March 23.
Leakage around the window.name
Easily the most notable change in Firefox 88 was this one, which Mozilla characterized as “a new protection against privacy leaks” designed so that “trackers are no longer able to abuse the window.name property to track users across websites.”
The window.name JavaScript variable can store any data the site desires, and because it has largely been exempt to browsers’ policies designed to block sites from sharing data, they have been abused by advertisers to track users’ movements around the web. “Tracking companies … have effectively turned it into a communication channel for transporting data between websites,” Mozilla contended. “Worse, malicious sites have been able to observe the content of window.name to gather private user data that was inadvertently leaked by another website.”
Firefox 88 now clears the window.name property when the user navigates from one site to another, effectively blocking the abuse. (The browser also applies a pair of rules that will prevent most site breakage by legitimate application of window.name data sharing.)
With this new pro-privacy technique, Mozilla follows Apple, whose Safari already clears window.name. Chromium (and thus Google’s Chrome and Microsoft’s Edge) has not yet implemented something similar, although the open-source project is working on a solution.
And that’s about all
Other than Mozilla’s window.name clampdown, Firefox 88 can boast of only a handful of changes, all of them minor. (That’s how some updates go when a browser releases every 28 days.)
- Mozilla deleted “Take a Screenshot” from the “Page actions” menu in the address bar (that menu is called up by clicking the three-dot icon near the right end of the bar). Instead, “Take Screenshot” now appears in the right-click context-sensitive menu.
- “PDF forms now support JavaScript embedded in PDF files. Some PDF forms use JavaScript for validation and other interactive features,” Mozilla stated in the Firefox 88 release notes. However, some worry that this support — running JavaScript, notorious for being leveraged by cyber criminals, simply by opening a PDF — is a potential security problem. (Here’s an example of unease, one that also includes instructions for manually disabling Firefox 88’s ability to execute JavaScript within PDFs. Elsewhere, one commenter countered the news of this functionality with the terse, “This is [a] mistake [that] everyone will regret later.”
The next version, Firefox 89, will be released June 1. That’s in six weeks, a departure from Mozilla’s usual four-week release interval. Firefox 89’s successor, version 90, will ship June 29, or four weeks later.
