Mozilla on Tuesday launched Firefox 72, which expanded picture-in-picture video mode to macOS and by default blocked “fingerprinting,” an advanced tracking method practiced by some sites and advertisers.
The open-source developers also patched 11 vulnerabilities, five labeled “High,” Mozilla’s second-most-serious threat rating. As usual, some of the flaws might be used by criminals. “We presume that with enough effort … it could be exploited to run arbitrary code,” the firm wrote of the CVE-2019-17017 vulnerability.
Firefox 72 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users need only relaunch the browser to get the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page shows that the browser is either up to date or describes the refresh process.
Mozilla now refreshes Firefox every five weeks; it last upgraded the browser on Dec. 3.
(In September 2019, Mozilla said it would reduce the intervals between upgrades. The earlier six-week stretch was shortened to five weeks between Firefox 71 and 72. Starting with March’s Firefox 74, the interval will drop to four weeks.)
PiP-pin for McIntosh?
A month ago, Mozilla introduced Picture-in-Picture (PiP) with Firefox 71, touting the new feature’s ability to display video in a separate, small window while the user continues to surf elsewhere or even works outside the browser. Then, PiP was limited to Firefox running on Windows.
Firefox 72 expanded PiP to macOS – and if Mozilla’s December pledge was honored, Linux as well – and the feature works just as in Windows. Videos that will run in PiP were marked with a small, blue-backed “Picture-in-Picture” message when the mouse cursor hovers over the image. Clicking on that puts a frame on the desktop, video inside, and the frame can be moved and resized at will.
Firefox’s implementation of PiP is significantly smoother than Chrome’s – which requires a pair of right-clicks – in the videos where it’s available.
Scratch sites’ begging to blast you with notices
Another new aspect of Firefox 72 that Mozilla highlighted is its dampening down of the distraction from sites asking users to allow future notifications.
Those irritating pop-ups rarely result in users acquiescing to the request, Mozilla asserted. According to the company’s research, 48% of those prompts are “actively denied by the user” and a whopping 99% go unaccepted. In other words, they’re a vast waste of both websites’ and users’ time.
Firefox 72 blocks the notifications from reaching the screen – and obscuring part of the underlying page – and instead adds a small comic-style speech bubble, one that briefly jiggles for attention no less, to the address bar. Users can click on the bubble to pull up the usual notification pop-up – perhaps to dismiss it entirely and lose the bubble – or just ignore it. (It jiggles just once.)
Users can, of course, check the long-available box marked “Block new requests asking to allow notifications” in Options (Windows) or Preferences (macOS) to avoid all such irritants. (To reach that, from the “Privacy & Security” section, choose “Permissions,” then click the “Settings” button beside “Notifications.”)
Mozilla also trumpeted another addition to Firefox’s anti-tracking skillset that it baked into version 72.
“The latest Firefox browser protects you against fingerprinting by blocking third-party requests to companies that are known to participate in fingerprinting,” Mozilla said here.
Like cookie-based tracking, fingerprinting is used by sites and advertisers to follow users as they wander around the web, most infamously to continue to offer a product that an individual looked at previously. It’s akin to a salesperson following a customer not only around the store, dunning them to buy this or that, but leaving the store with them, tracking them across town and even all the way home.
Fingerprinting relies on piecing together clues – ranging from the browser version and device platform to installed fonts and extensions – to create a profile, hopefully one unique enough to distinguish from others’. Unlike cookie-based tracking, fingerprinting can continue to follow a user even after the browser’s been cleared or its privacy mode has been used to, supposedly, surf anonymously.
Firefox 72 has the fingerprinters portion of Enhanced Tracking Protection (ETP), Mozilla’s name for its collection of anti-tracking technologies, turned on by default. Even if the user has switched off ETP by disabling the other tracker types, the “Fingerprinters” option will be engaged.
Mozilla turned to its partner, Disconnect – which already provided the tracker list that served as the foundation of ETP – as the source of the fingerprints. “Disconnect maintains a list of companies that participate in cross-site tracking, as well a list as those that fingerprint users. Firefox blocks all parties that meet both criteria,” Steven Englehardt, a Mozilla senior privacy engineer, said in a Jan. 7 post to a company blog.
“Expect to hear more updates from us as we continue to strengthen the protections provided by ETP,” Englehardt added, without going into specifics.
The next version, Firefox 73, should launch Feb. 11.