Mozilla: Firefox to block cryptomining scripts hidden on websites by default

Mozilla sets out Firefox's upcoming protections against cryptojacking and fingerprint scripts, plus its rollout plans.

Firefox adds new defenses against browser fingerprinting and cryptomining scripts Mozilla sets out Firefox's upcoming protections against cryptojacking and fingerprint scripts, plus its rollout plans.

An upcoming release of Firefox will give users the option to block two increasingly common and ugly aspects of today's web: browser fingerprinting and cryptomining scripts. 

Neither type of script is helpful or beneficial to browser users. Fingerprinting lets advertising outfits silently track users around the web and profit from users' activity and interests. 

Meanwhile, freeloading opportunists have found it profitable to plant cryptomining JavaScript on websites and secretly sponge off a visitor's CPU to 'earn' cryptocurrency. 

Web-based cryptomining took off after the launch of the JavaScript-based Monero miner, Coinhive, which was created with the intention to challenge the online advertising business model. But it was quickly adapted for 'cryptojacking', or hijacking a victim's CPU through a browser so that it mines for cryptocurrency on someone else's behalf.   

SEE: How to build a successful developer career (free PDF)

Coinhive shut down on March 8, but there's a long tail of rivals that will keep the cryptojacking threat alive for the foreseeable future.

Mozilla, keen to make Firefox relevant again in a Chromium world, on Tuesday revealed that Firefox Nightly 68 and Firefox Beta 67 will include protections against both threats, thanks to a new blacklist of websites known to use scripts for either purpose. The blacklist was compiled by Disconnect, a VPN maker known for its anti-tracking efforts.  

ZDNet's Catalin Cimpanu revealed Mozilla's anti-fingerprinting efforts using 'letterboxing' in Firefox 67 last week. But Mozilla has now shared more specifics about that and related protections against cryptojacking, how the protections can be enabled in Firefox, and its plans for a rollout. 

Mozilla is taking a multi-pronged approach to fingerprinting. Letterboxing aims to thwart a technique used to tag a browser – for example, by measuring a browser's window size at a point in time – for persistent tracking across websites without the aid of cookies. The second piece is a blacklist of sites that are known to use fingerprinting scripts and sites known to use cryptomining scripts.

The script-blocking feature is now part of Firefox's 'Content Blocking' settings within the 'Privacy and Security' tab in Preferences. Within 'Content Blocking', Firefox users can check boxes to block either or both Cryptominers and Fingerprinters.

"Once enabled, Firefox will block any scripts that have been identified by [privacy tool] Disconnect to participate in cryptomining or fingerprinting," said Mozilla's Arthur Edelstein, adding that the protections will be on by default in Nightly "in the coming weeks".  

Firefox 67 is due for release in mid-May and until then Mozilla is seeking feedback about the effectiveness of the new protections. 

Like most security solutions, Mozilla's isn't watertight. The blacklisting side will only be as good as Disconnect's list of known offenders, which may be incomplete or could become outdated as additional sites include the offending scripts. And there are multiple techniques for fingerprinting a device through a browser that aren't accounted for.  

But it's better than nothing and could be appealing to users looking for a reason not to use Chrome. 

Mozilla said it plans to "continue to work with Disconnect to improve and expand the set of domains blocked by Firefox". It's also concerned that enabling the feature could break some websites in the browser and it wants feedback about these occasions.  

The browser maker seems intent on proceeding with the feature, confirming that it does plan to enable these protections by default in some future release of Firefox. 

More on Firefox and security