Title

Firefox must be configured to block pop-up windows. (Cat II impact)

Discussion

Pop-up windows may be used to launch an attack within a new browser window with altered settings. This setting blocks pop-up windows created while the page is loading.

Check Content

Type "about:policies" in the browser address bar. If "PopupBlocking" is not displayed under Policy Name or the Policy Value is not "Default" "true", this is a finding. If "PopupBlocking" is not displayed under Policy Name or the Policy Value is not "Locked" "true", this is a finding. "PopupBlocking" "Enabled" may be used to specify an allowlist of sites where pop-ups are desired, this is optional.

Fix Text

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox\Popups Policy Name: Block pop-ups from websites Policy State: Enabled Policy Name: Do not allow preferences to be changed Policy State: Enabled Optional: Policy Name: Allowed Sites Policy State: Enabled Click "Show..." and enter a list of websites to be allowlisted. macOS "plist" file: Add the following: <key>PopupBlocking</key> <dict> <key>Allow</key> <array> <string>http://example.mil</string> <string>http://example.gov</string> </array> <key>Default</key> <true/> <key>Locked</key> <true/> </dict> Linux "policies.json" file: Add the following in the policies section: "PopupBlocking": { "Allow": ["http://example.mil/", "http://example.gov/"], "Default": true, "Locked": true}

Additional Identifiers

Rule ID: SV-251553r879587_rule

Vulnerability ID: V-251553

Group Title: SRG-APP-000141

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.