All Products Community Forum

We recently update Firefox with version 138.0 and now getting the message "Gah. Your tab just crashed" when opening the browser.

We attempted to update and install version 138.0.1 only resulting with the same error. We also found and attempted the following all resulting with the same error: - change the about:config page for settings to false for both browser.tabs.remote.autostart and browser.tabs.remote.autostart.2

- clear browser cache.

- enable Temporary Mode in the Help menu. This appears to fix the problem but only for the current browser session. When a new Firefox window is opened, the error reappears.

What is needed to resolve this error or is there a way to permanently enable Temporary Mode or some similar setting? Thanks for all your help with this.

How to disable Firefox add-ons in order to block to install temporary extensions. I am generating policies via Firefox Policy generator. {

 "name": "myconfig",
 "time": "2025-12-14T13:17:27.479Z",
 "configuration": {
   "arrayfields": {},
   "checkboxes": {
     "BlockAboutAddons": true,
     "BlockAboutConfig": true,
     "BlockAboutProfiles": true
   },
   "input": {},
   "textareas": {},
   "select": {}
 }

}

I would like to know how the Firefox CVEs are affected on its version which are mentioned in NVD.

Let take mfsa2025-59, for example CVE-2025-8040, as per the NVD its says Firefox ESR < 140.1 is affected so does that mean it affect all the version which are lower than 140.1 which included the ESR 128 and ESR 115 versions or just the ESR 140 version series? then it raise on more question check this cve-2025-8029 in NVD it has specifically mentioned it only affect "Firefox ESR < 128.13, Firefox ESR < 140.1" and not the ESR 115 versions. Could anyone confirm it does not affect the ESR 115 versions or it affect all the versions? Now check this one cve-2025-8027, NVD clearly mentioned "Firefox ESR < 115.26, Firefox ESR < 128.13, Firefox ESR < 140.1" are affected so what I understand is that if the Firefox ESR 115 is vulnerable to any CVE it would be mentioned in the NVD specifically.

My point is that if any Firefox CVEs are listed in NVD and it specify only one version like “Firefox ESR < 140.1” what does that mean? Does it affect all the versions which include ESR 128 and ESR 115 or just the ESR 140 series version only affected? If any CVEs are affected on the ESR 115 and ESR 128 does Mozilla specifically mentioned those versions are affected right? Just like its mentioned in the cve-2025-8027

Any help would be appreciated to clarify this.

Hi guys,

I'm trying to uninstall an extension using a GPO, but it's not working.

I've placed a GPO on the user's OU and configured the ID to be removed in the User-Part of that GPO. I previously retrieved the ID using about:debugging.

But nothing happens; the extension isn't removed. (Logoff/Logon/reboot/gpupdate /force .....)

128.11.0esr (64-Bit)

KeePassXC-Browser Extension

The GPOs for Edge and Chrome have the same function. Enter the ID there, and the extension is reliably removed.

Any suggestions? Thanks

Michael

I've been struggling for months to standardize a deployment of Firefox ESR across various client environments that reliably auto-updates and doesn't cause UAC prompts and XULRunner profile error pop-ups(I work in IT).

We deploy Firefox ESR in bulk on machines via a batch script which runs as SYSTEM, with msiexec /i and /qn flags.

Firefox installs fine, but then users are typically met with a UAC prompt when they first try to run Firefox. If they decline, then the UAC prompt comes back again next time and often fails to update at all, so the machine is left on an older, vulnerable version.

Regarding the environment: we have deployed the Firefox ESR admx templates and enabled the relevant auto update settings in Group Policy. But only some machines seem to stay up to date, and it seems like this only happens if a user with local administrative privileges has run the program at least once.

What I find unusual is that Firefox seems to attempt to make a "Background Updater" scheduled task for every user that runs the software on each PC, but these users do not have administrative privileges, and the scheduled task is set to only run when that user is logged in. Obviously a scheduled task running as a user with limited privileges isn't going to be able to update files in the Mozilla/Firefox subdirectory in "Program Files" as by default that's read-only access for non-admin users. And, obviously, if a user with local admin privileges DOES log into the machine, then it can update once, but then the scheduled task that it creates for that user (now with admin privileges) will only run when that user logs in - and we don't login as "admin"-privileged users day-to-day.

So, various machines are out of date, running vulnerable Firefox 128 instead of 140 or 142 even though they're all deployed from the same image and have the same policies and restrictions, and ran the same installer for Firefox.

Is there some reason why the auto update scheduled task isn't created at installation time, when administrative privileges have been granted? It's very odd that it doesn't, because then every time a user logs into a machine it seems like Firefox ESR creates the background upgrade task under a non-admin user which simply won't work. I see machines having 4 or 5 background upgrade scheduled tasks, all created by Firefox ESR, and yet the software still won't update - there's a UAC prompt every time the program launches, and going to Help -> About shows "Restart Firefox to update..." but then when clicking the button to restart Firefox, we get the UAC prompt, user doesn't have privileges, so this goes around and around in circles.

Is there a reliable way to keep Firefox up to date without manually logging into each machine and going through the UAC prompts? Can we manually create a scheduled task with the correct user account that has privileges to actually upgrade Firefox?

The background auto update mechanism simply doesn't make sense to our team on a machine-wide install.

I previously posted this question: https://support.mozilla.org/en-US/questions/1495577

Asking how to use the "intl.accept_languages" setting within the JSON for the new preferences setting within group policy.

A moderator posted this as a comment which I have only just noticed: "The value is a string, so it has to be in quotes "en-GB"" - the post is now too old for me to reply.

I'm still having issues using this setting even after putting the name in quotes. I've tried:

"intl.accept_languages": { "Value": "en-GB", "Status": "user" }

"intl.accept.languages": { "Value": "en-GB", "Status": "user" }

But neither work, please can someone clarify what exactly needs to be used within the JSON?

GNU nano 8.6 /etc/firefox/policies.json {

 "policies": {
   "DisableFirefoxStudies": true,
   "DisableTelemetry": true,
   "DisableSystemAddonUpdate": true

   "Preferences": {
     "app.normandy.enabled": false,
     "app.shield.optoutstudies.enabled": false,
     "extensions.autoDisableScopes": 15
    }
  }
} Hidden modifications to settings and extensions is absolutely not OK!!!!!!

This is a security environment.

Hello. I know how to define a server certificate exception to avoid browser warnings in case of certificate issue with a website (see attachment). However, I'd like to apply that exception for all users with access to my machine using a GPO (for user or local machine). This is also a requirement in my work where many users run Firefox from a server and the face browser warnings all the time (related to self-signed certificates) so it would be great to apply an exception for all users through a GPO specifying the self-signed certificate warning we want Firefox to ignore. Thanks.

Hello,

I had issue to verify the cert on android app for https://partners-enrichment.heytelecom.be. On Windows I didn't have the same issue.

version 144.0.2 / build id 20251027123126 / target arm64-v8a armeabi-v7a x86_64 Device: Samsung S22 / One UI 7.0 / Android version 15 / version S901U1UES8FYI2 / Security patch level September 1, 2025

Error: Secure Connection Failed, because its certificate issuer is unknown, the certificate is self-signed, or the server is not sending the correct intermediate certificates.

CertChain RCA: DigiCert Global Root G2 DCA: DigiCert Global G2 TLS RSA SHA256 2020 CA1 cert: partners-enrichment.heytelecom.be

1) I couldn't check the cert from the gui as on windows. Shield in search bar / Connection not secure doesn't opened the cert. Is it expected?

2) I found this helppage: https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox

Unfortunately about:preferences isn't available on android (ref. https://www.reddit.com/r/firefox/comments/u593x0/how_to_access_to_aboutpreferences_on_android/)

I see in about:certificate which is the correct RCA (I verified the pem file with the root). DigiCert Global Root G2

Where do I check the Intermediate CA's (DCA)?

3) When exporting the RCA it has been download as: digicert-global-root-g2.pem.txt Why the txt at the end?

On Windows it downloads as digicert-global-root-g2.pem

Kind regards,

There is a enterprise download for windows and Apple but i do not see a download option for Linux from this site. https://www.firefox.com/en-CA/browsers/enterprise/

But there is a download for the ESR version from https://ftp.mozilla.org/pub/firefox/releases/

Is there a reason why Linux is not on the main enterprise download page ?

I am working on a stig for Mozilla Firefox and I'm trying to do a scap compliance scan but or some reason I am getting a score of zero on all systems. We do patch regularly and at some point one of the version upgrades caused our compliance scans stopped working. I need a fix and cannot find anything when searching for this issue.

I know nothing about the dev options for Internet settings and minor turned on and it says the remote server is set to production. No flipping idea what this is. Can somebody please help me?

Hello Everyone,

I am seeking assistance to configure Firefox browser so that internet access is blocked when the browser cannot download or access the proxy Auto-configuration (PAC) file. Our organisation enforces all web traffic through proxy servers defined by a PAC file. For compliance and security reasons, users should not have any direct internet access unless the browser is able to successfully retrieve and apply the PAC file.

The desired behaviour is:

1. Firefox attempts to download the PAC file from a defined URL. 2. If the PAC file is unreachable or fails to load (e.g., due to network restrictions or the device being outside the corporate network), Firefox should "fail closed" - meaning it should not allow any direct internet traffic. 3. This is effectively a "fail-block" mode: no fallback to direct connections, and no cached or bypassed proxy settings should allow internet browsing.

This behaviour is critical to prevent devices from accessing the internet without applying corporate proxy rules. I would like to know:

1/ Whether Firefox currently supports a setting or policy that enforces this fail-block condition when the PAC file is unavailable. 2/ If not, whether there are recommended configurations or enterprise policies (e.g., via `policies.json` or Group Policy templates) that could achieve equivalent enforcement.

Thank you for your assistance and guidance.

Dear Sir or Madam,

We are experiencing an issue with various users on our terminal servers whereby websites open very slowly when using Firefox. When I access the website using Edge from the same user session, everything works very quickly. We have already tried creating a new profile in Firefox and clearing the cache, but without success. Could you please help us?

The operating system used is Windows Server 2022.

I am having the same issue as this other user here: https://www.reddit.com/r/sysadmin/comments/17wvuwh/help_pinning_extension_in_firefox_with_gpo/

Preliminaries -- Initially (before trying to force-pin), I had these GPOs enabled:

Extensions to Install -> https://addons.mozilla.org/firefox/downloads/file/4410896/bitwarden_password_manager-2024.12.4.xpi

Prevent extensions from being disabled or removed ->

• {446900e4-71c2-419f-a6a7-df9c091e268b}
• {3f6129fb-6c55-4452-ab6f-7c109b2301df}
• https://addons.mozilla.org/firefox/downloads/file/4410896/bitwarden_password_manager-2024.12.4.xpi

(Those GPOs above all work.)

What I'm trying to do: Force-pin Bitwarden.

I believe I've followed the documentation correctly (except for not including a "*" case): https://mozilla.github.io/policy-templates/#extensionsettings

I've enabled this GPO with this value:

Extension Management ->

{

 "{446900e4-71c2-419f-a6a7-df9c091e268b}": {
   "default_area": "navbar"
 }

}

After running various "GPUpdate"s and whatnot, the option to uncheck "Pin to toolbar" is still available to click.

I've verified in "about:policies#active" that the JSON item appears next to "ExtensionSettings" and that there are no errors listed in the "Errors" tab.

I've also verified that it appears in the correct location in the Registry.

Since another user had the same issue (Reddit link above), I figured it'd be a good idea to check in with y'all to see if we are missing something.

Thanks for your help!

I look after about 20 PCs. All Windows 10. All were running Firefox ESR ranging from 115 - 128. As I get time I update each to the latest 128.x. Using group policies I've disabled all update settings.

However, on two of the PCs, they have updated to v139.0.1. Both of the users swear they did not manually do any update. I can't figure out how they got downgraded to the retail channel.

So my question is, since 128 < 139 how can I get them back on to the ESR channel, without loosing history, bookmarks, passwords and saved logins? I gather FF's installer will detect 128 as an older version and throw an error?

ESR -> Retail to me is a downgrade. So is it possible then to upgrade back to 128.11.x?

Each PC is refreshed annually and the only backup of the profile folder I have is from the last refresh, which in most cases in 8-9 months old.

Is there any way to find out why the downgrade happened when group policy forbids it, and the user did not manually download and install the latest version?

When these downgrades happen they break things. For example, when one PC was downgraded to retail his outlook.com email no longer works. If he uses his laptop which is on 128.11.0 it works fine.