Longtime Slashdot reader williamyf writes: Firefox 140 just landed. Some user-facing features include:

Vertical Tabs: You can now keep more -- or fewer -- pinned tabs in view for quicker access to important windows. Just drag the divider to resize your pinned tabs section.
Unload Tabs: You can now unload tabs by right-clicking on a tab (or multiple selected tabs) and selecting "Unload Tab." This can speed up performance by reducing Firefox's memory and CPU usage.

But the most important feature? This release is an Extended Support Release (ESR). Why are ESRs so important? ESR is the Firefox version that ships as the default with many Linux distributions. Some downstream projects (like Waterfox) depend on the ESR version. Many enterprise software systems are tested only against ESR. When features are dropped -- like support for older operating systems or Flash -- ESR keeps that functionality around for longer.

And speaking of old operating systems: If you are using Windows 7, 8.1, or macOS 10.12~10.15, note that FireFox ESR 115 (the last version supporting these OSs) will continue to receive patches until at least September 2025.

So one can see why ESR is very important for some people. The release notes are available here.

Veteran columnist Steven J. Vaughan-Nichols declared that Firefox was "dead" to him in a scathing opinion piece Tuesday that cites Mozilla's strategic missteps and the browser's declining technical performance as evidence of terminal decline. Vaughan-Nichols argues that Mozilla has fundamentally betrayed user trust by removing a longstanding promise never to sell personal data from its privacy policy in February, replacing it with a weaker pledge to "protect your personal information."

The veteran technology writer also criticized Mozilla's decision to discontinue Pocket, a popular article-saving service, and Fakespot, which identified fake online reviews, while pursuing what he called a misguided AI strategy. He cited user reports of Firefox running up to 30% slower than Chrome, consuming excessive memory, and failing to properly load major websites. Mozilla has also become financially more vulnerable, he argued, noting CFO Eric Muhlheim's admission that the company depends on Google for 90% of its revenue. According to federal data he cited, Firefox holds just 1.9% of the browser market, leading him to conclude the browser is "done."

A dating site launched last week by Belgian artist Dries Depoorter matches potential partners based on their internet browsing histories rather than curated profiles or photos. Browser Dating requires users to download a Chrome or Firefox extension that exports and uploads their recent search data, creating matches based on shared online behaviors and interests rather than traditional dating app metrics.

Less than 1,000 users have signed up since the platform's launch, paying a one-time fee of $10.3 for unlimited matches or using a free tier limited to five connections. Depoorter, known for digital art projects exploring surveillance and technology, says the concept emerged from a 2016 workshop where participants shared a year of search history data. The platform processes browsing data locally using Google's Firebase tools.

Meta's Facebook and Instagram apps "were siphoning people's data through a digital back door for months," writes a Washington Post tech columnist, citing researchers who found no privacy setting could've stopped what Meta and Yandex were doing, since those two companies "circumvented privacy and security protections that Google set up for Android devices.

"But their tactics underscored some privacy vulnerabilities in web browsers or apps. These steps can reduce your risks." Stop using the Chrome browser. Mozilla's Firefox, the Brave browser and DuckDuckGo's browser block many common methods of tracking you from site to site. Chrome, the most popular web browser, does not... For iPhone and Mac folks, Safari also has strong privacy protections. It's not perfect, though. No browser protections are foolproof. The researchers said Firefox on Android devices was partly susceptible to the data harvesting tactics they identified, in addition to Chrome. (DuckDuckGo and Brave largely did block the tactics, the researchers said....)

Delete Meta and Yandex apps on your phone, if you have them. The tactics described by the European researchers showed that Meta and Yandex are unworthy of your trust. (Yandex is not popular in the United States.) It might be wise to delete their apps, which give the companies more latitude to collect information that websites generally cannot easily obtain, including your approximate location, your phone's battery level and what other devices, like an Xbox, are connected to your home WiFi.

Know, too, that even if you don't have Meta apps on your phone, and even if you don't use Facebook or Instagram at all, Meta might still harvest information on your activity across the web.

"It appears as though Meta (aka: Facebook's parent company) and Yandex have found a way to sidestep the Android Sandbox," writes Slashdot reader TheWho79. Researchers disclose the novel tracking method in a report: We found that native Android apps -- including Facebook, Instagram, and several Yandex apps including Maps and Browser -- silently listen on fixed local ports for tracking purposes.

These native Android apps receive browsers' metadata, cookies and commands from the Meta Pixel and Yandex Metrica scripts embedded on thousands of web sites. These JavaScripts load on users' mobile browsers and silently connect with native apps running on the same device through localhost sockets. As native apps access programmatically device identifiers like the Android Advertising ID (AAID) or handle user identities as in the case of Meta apps, this method effectively allows these organizations to link mobile browsing sessions and web cookies to user identities, hence de-anonymizing users' visiting sites embedding their scripts.

This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode and Android's permission controls. Worse, it opens the door for potentially malicious apps eavesdropping on users' web activity.

While there are subtle differences in the way Meta and Yandex bridge web and mobile contexts and identifiers, both of them essentially misuse the unvetted access to localhost sockets. The Android OS allows any installed app with the INTERNET permission to open a listening socket on the loopback interface (127.0.0.1). Browsers running on the same device also access this interface without user consent or platform mediation. This allows JavaScript embedded on web pages to communicate with native Android apps and share identifiers and browsing habits, bridging ephemeral web identifiers to long-lived mobile app IDs using standard Web APIs. This technique circumvents privacy protections like Incognito Mode, cookie deletion, and Android's permission model, with Meta Pixel and Yandex Metrica scripts silently communicating with apps across over 6 million websites combined.

Following public disclosure, Meta ceased using this method on June 3, 2025. Browser vendors like Chrome, Brave, Firefox, and DuckDuckGo have implemented or are developing mitigations, but a full resolution may require OS-level changes and stricter enforcement of platform policies to prevent further abuse.

An anonymous reader shares a report: Microsoft's changes in response to the Digital Markets Act already included allowing Windows machines in the regions it covers to uninstall Edge and remove Bing results from Windows search, but now the list is growing in some meaningful ways. New features announced Monday for Microsoft Windows users in the European Economic Area (the EU plus Iceland, Liechtenstein, and Norway) include the option to uninstall the Microsoft Store and avoid extra nags or prompts asking them to set Microsoft Edge as the default browser unless they choose to open it.

Additionally, setting a different browser, like Chrome, Firefox, Brave, or something else, will pin it to the taskbar unless the user chooses not to. While setting a different browser default already attaches it to a few link and file types like https and .html, now users in the EEA will see it apply to more types like "read," ftp, and .svg. The default browser changes are live for some users in the beta channel and are set to roll out widely on Windows 10 and Windows 11 in July.

"Firefox's address bar just got an upgrade," Mozilla writes on their blog: Keep your original search visible

When you perform a search, your query now remains visible in the address bar instead of being replaced by the search engine's URL. Whereas before your address bar was filled with long, confusing URLs, now it's easier to refine or repeat searches... [Clicking an icon left of the address bar even pulls up a list of search-engine choices under the heading "This time search with..."]


Search your tabs, bookmarks and history using simple keywords

You can access different search modes in the address bar using simple, descriptive keywords like @bookmarks, @tabs, @history, and @actions, making it faster and easier to find exactly what you need.


Type a command, and Firefox takes care of it

You can now perform actions like "clear history," "open downloads," or "take a screenshot" just by typing into the address bar. This turns the bar into a practical productivity tool — great for users who want to stay in the flow...


Cleaner URLs with smarter security cues

We've simplified the address bar by trimming "https://" from secure sites, while clearly highlighting when a site isn't secure. This small change improves clarity without sacrificing awareness.
"The new address bar is now available in Firefox version 138," Mozilla writes, calling the new address bar faster, more intuitive "and designed to work the way you do."

BrianFagioli writes: In a surprising move that will frustrate longtime fans, Mozilla has announced it will shut down Pocket on July 8, 2025. The once-popular read-it-later service, which helped users save and organize web content for later reading, will no longer function as normal after that date. While existing users can continue saving and reading articles until July, the service will switch to export-only mode afterward, with all user data permanently deleted on October 8. The Firefox-maker will also shut down Fakespot, a service that allows users to identify unreliable reviews, on July 1.

During this year's annual Pwn2Own contest, two researchers from Palo Alto Networks demonstrated an out-of-bounds write vulnerability in Mozilla Firefox, reports Cyber Security News, "earning $50,000 and 5 Master of Pwn points." And the next day another participant used an integer overflow to exploit Mozilla Firefox (renderer only).

But Mozilla's security blog reminds users that a sandbox escape would be required to break out from a tab to gain wider system access "due to Firefox's robust security architecture" — and that "neither participating group was able to escape our sandbox..." We have verbal confirmation that this is attributed to the recent architectural improvements to our Firefox sandbox which have neutered a wide range of such attacks. This continues to build confidence in Firefox's strong security posture.
Even though neither attack could escape their sandbox, "Out of abundance of caution, we just released new Firefox versions... all within the same day of the second exploit announcement." (Last year Mozilla responded to an exploitable security bug within 21 hours, they point out, even winning an award as the fastest to patch.)

The new updated versions are Firefox 138.0.4, Firefox ESR 128.10.1, Firefox ESR 115.23.1 and Firefox for Android. "Despite the limited impact of these attacks, all users and administrators are advised to update Firefox as soon as possible...." To review and fix the reported exploits a diverse team of people from all across the world and in various roles (engineering, QA, release management, security and many more) rushed to work. We tested and released a new version of Firefox for all of our supported platforms, operating systems, and configurations with rapid speed....

Our work does not end here. We continue to use opportunities like this to improve our incident response. We will also continue to study the reports to identify new hardening features and security improvements to keep all of our Firefox users across the globe protected.

It's a nonprofit that's provide hosting for the Linux Foundation, the Apache Software Foundation, Drupal, Firefox, and 160 other projects — delivering nearly 430 terabytes of information every month. (It's currently hosting Debian, Fedora, and Gentoo Linux.) But hosting only provides about 20% of its income, with the rest coming from individual and corporate donors (including Google and IBM). "Over the past several years, we have been operating at a deficit due to a decline in corporate donations," the Open Source Lab's director announced in late April.

It's part of the CS/electrical engineering department at Oregon State University, and while the department "has generously filled this gap, recent changes in university funding makes our current funding model no longer sustainable. Unless we secure $250,000 in committed funds, the OSL will shut down later this year."

But "Thankfully, the call for support worked, paving the way for the OSU Open Source Lab to look ahead, into what the future holds for them," reports the blog It's FOSS.

"Following our OSL Future post, the community response has been incredible!" posted director Lance Albertson. "Thanks to your amazing support, our team is funded for the next year. This is a huge relief and lets us focus on building a truly self-sustaining OSL." To get there, we're tackling two big interconnected goals:

1. Finding a new, cost-effective physical home for our core infrastructure, ideally with more modern hardware.
2. Securing multi-year funding commitments to cover all our operations, including potential new infrastructure costs and hardware refreshes.


Our current data center is over 20 years old and needs to be replaced soon. With Oregon State University evaluating the future of this facility, it's very likely we'll need to relocate in the near future. While migrating to the State of Oregon's data center is one option, it comes with significant new costs. This makes finding free or very low-cost hosting (ideally between Eugene and Portland for ~13-20 racks) a huge opportunity for our long-term sustainability. More power-efficient hardware would also help us shrink our footprint.

Speaking of hardware, refreshing some of our older gear during a move would be a game-changer. We don't need brand new, but even a few-generations-old refurbished systems would boost performance and efficiency. (Huge thanks to the Yocto Project and Intel for a recent hardware donation that showed just how impactful this is!) The dream? A data center partner donating space and cycled-out hardware. Our overall infrastructure strategy is flexible. We're enhancing our OpenStack/Ceph platforms and exploring public cloud credits and other donated compute capacity. But whatever the resource, it needs to fit our goals and come with multi-year commitments for stability. And, a physical space still offers unique value, especially the invaluable hands-on data center experience for our students....

[O]ur big focus this next year is locking in ongoing support — think annualized pledges, different kinds of regular income, and other recurring help. This is vital, especially with potential new data center costs and hardware needs. Getting this right means we can stop worrying about short-term funding and plan for the future: investing in our tech and people, growing our awesome student programs, and serving the FOSS community. We're looking for partners, big and small, who get why foundational open source infrastructure matters and want to help us build this sustainable future together.
The It's FOSS blog adds that "With these prerequisites in place, the OSUOSL intends to expand their student program, strengthen their managed services portfolio for open source projects, introduce modern tooling like Kubernetes and Terraform, and encourage more community volunteers to actively contribute."

Thanks to long-time Slashdot reader I'm just joshin for suggesting the story.

An anonymous reader shared this report from The Verge: Firefox could be put out of business should a court implement all the [U.S.] Justice Department's proposals to restrict Google's search monopoly, an executive for the browser owner Mozilla testified Friday. "It's very frightening," Mozilla CFO Eric Muhlheim said.

The Department of Justice wants to bar Google from paying to be the default search engine in third-party browsers including Firefox, among a long list of other proposals including a forced sale of Google's own Chrome browser and requiring it to syndicate search results to rivals. The court has already ruled that Google has an illegal monopoly in search, partly thanks to exclusionary deals that make it the default engine on browsers and phones, depriving rivals of places to distribute their search engines and scale up. But while Firefox — whose CFO is testifying as Google presents its defense — competes directly with Chrome, it warns that losing the lucrative default payments from Google could threaten its existence.

Firefox makes up about 90 percent of Mozilla's revenue, according to Muhlheim, the finance chief for the organization's for-profit arm — which in turn helps fund the nonprofit Mozilla Foundation. About 85 percent of that revenue comes from its deal with Google, he added. Losing that revenue all at once would mean Mozilla would have to make "significant cuts across the company," Muhlheim testified, and warned of a "downward spiral" that could happen if the company had to scale back product engineering investments in Firefox, making it less attractive to users. That kind of spiral, he said, could "put Firefox out of business." That could also mean less money for nonprofit efforts like open source web tools and an assessment of how AI can help fight climate change.

Ironically, Muhlheim seemed to suggest that could cement the very market dominance the court seeks to remedy. Firefox's underlying Gecko browser engine is "the only browser engine that is held not by Big Tech but by a nonprofit," he said.

Firefox has launched its long-awaited tab groups feature, responding to the most upvoted request in Mozilla Connect's three-year history. The feature allows users to organize tabs by name or color through a drag-and-drop interface.

Mozilla is now developing an AI-powered "smart tab groups" feature that automatically suggests organization based on open tabs. Unlike competitors, the company said, Firefox processes this data locally, keeping tab information on the user's device rather than sending it to cloud servers.

Ruby on Rails creator and Basecamp CTO David Heinemeier Hansson, makes a case for why Google shouldn't be forced to sell Chrome: First, Chrome won the browser war fair and square by building a better surfboard for the internet. This wasn't some opportune acquisition. This was the result of grand investments, great technical prowess, and markets doing what they're supposed to do: rewarding the best. Besides, we have a million alternatives. Firefox still exists, so does Safari, so does the billion Chromium-based browsers like Brave and Edge. And we finally even have new engines on the way with the Ladybird browser.

Look, Google's trillion-dollar business depends on a thriving web that can be searched by Google.com, that can be plastered in AdSense, and that now can feed the wisdom of AI. Thus, Google's incredible work to further the web isn't an act of charity, it's of economic self-interest, and that's why it works. Capitalism doesn't run on benevolence, but incentives.

We want an 800-pound gorilla in the web's corner! Because Apple would love nothing better (despite the admirable work to keep up with Chrome by Team Safari) to see the web's capacity as an application platform diminished. As would every other owner of a proprietary application platform. Microsoft fought the web tooth and nail back in the 90s because they knew that a free, open application platform would undermine lock-in -- and it did!

Slashdot reader king*jojo shared this article from The Register: A 23-year-old side-channel attack for spying on people's web browsing histories will get shut down in the forthcoming Chrome 136, released last Thursday to the Chrome beta channel. At least that's the hope.

The privacy attack, referred to as browser history sniffing, involves reading the color values of web links on a page to see if the linked pages have been visited previously... Web publishers and third parties capable of running scripts, have used this technique to present links on a web page to a visitor and then check how the visitor's browser set the color for those links on the rendered web page... The attack was mitigated about 15 years ago, though not effectively. Other ways to check link color information beyond the getComputedStyle method were developed... Chrome 136, due to see stable channel release on April 23, 2025, "is the first major browser to render these attacks obsolete," explained Kyra Seevers, Google software engineer in a blog post.

This is something of a turnabout for the Chrome team, which twice marked Chromium bug reports for the issue as "won't fix." David Baron, presently a Google software engineer who worked for Mozilla at the time, filed a Firefox bug report about the issue back on May 28, 2002... On March 9, 2010, Baron published a blog post outlining the issue and proposing some mitigations...

Mozilla plans to introduce a suite of paid professional services for its open-source Thunderbird email client, transforming the application into a comprehensive communication platform. Dubbed "Thunderbird Pro," the package aims to compete with established ecosystems like Gmail and Office 365 while maintaining Mozilla's commitment to open-source software.

The Pro tier will include four core services: Thunderbird Appointment for streamlined scheduling, Thunderbird Send for file sharing (reviving the discontinued Firefox Send), Thunderbird Assist offering AI capabilities powered by Flower AI, and Thundermail, a revamped email client built on Stalwart's open-source stack. Initially, Thunderbird Pro will be available free to "consistent community contributors," with paid access for other users.

Mozilla Managing Director Ryan Sipes indicated the company may consider limited free tiers once the service establishes a sustainable user base. This initiative follows Mozilla's 2023 announcement about "remaking" Thunderbird's architecture to modernize its aging codebase, addressing user losses to more feature-rich competitors.

Long-time Slashdot reader BenFenner writes: For the third time in recent memory, CloudFlare has blocked large swaths of niche browsers and their users from accessing web sites that CloudFlare gate-keeps. In the past these issues have been resolved quickly (within a week) and apologies issued with promises to do better. (See 2024-03-11, 2024-07-08, and 2025-01-30.)

This time around it has been over six weeks and CloudFlare has been unable or unwilling to fix the problem on their end, effectively stalling any progress on the matter with various tactics including asking browser developers to sign overarching NDAs.
That last link is an update posted today by Pale Moon's main developer: Our current situation remains unchanged: CloudFlare is still blocking our access to websites through the challenges, and the captcha/turnstile continues to hang the browser until our watchdog terminates the hung script after which it reloads and hangs again after a short pause (but allowing users to close the tab in that pause, at least). To say that this upsets me is an understatement. Other than deliberate intent or absolute incompetence, I see no reason for this to endure. Neither of those options are very flattering for CloudFlare.

I wish I had better news.
In a comment, Slashdot reader BenFenner shares a list posted by Pale Moon's developer of reportedly affected browsers:

• Pale Moon
• Basilisk
• Waterfox
• Falkon
• SeaMonkey
• Various Firefox ESR flavors
• Thorium (on some systems)
• Ungoogled Chromium
• K-Meleon
• LibreWolf
• MyPal 68
• Otter browser

Slashdot reader Z00L00K speculates that "this is some kind of anti-bot measure that fails. I suspect that the reason for them wanting a NDA to be signed is to prevent ways to circumvent the anti-bot measures..."

Mozilla is urging Firefox users to update their browsers to version 128 or later (or ESR 115.13 for extended support users) before March 14, 2025, to avoid security risks and add-on disruptions caused by the expiration of a key root certificate. "On 14 March a root certificate (the resource used to prove an add-on was approved by Mozilla) will expire, meaning Firefox users on versions older than 128 (or ESR 115) will not be able to use their add-ons," warns a Mozilla blog post. "We want developers to be aware of this in case some of your users are on older versions of Firefox that may be impacted." BleepingComputer reports: A Mozilla support document explains that failing to update Firefox could expose users to significant security risks and practical issues, which, according to Mozilla, include:

- Malicious add-ons can compromise user data or privacy by bypassing security protections.
- Untrusted certificates may allow users to visit fraudulent or insecure websites without warning.
- Compromised password alerts may stop working, leaving users unaware of potential account breaches.

It is noted that the problem impacts Firefox on all platforms, including Windows, Android, Linux, and macOS, except for iOS, where there's an independent root certificate management system. Mozilla says that users relying on older versions of Firefox may continue using their browsers after the expiration of the certificate if they accept the security risks, but the software's performance and functionality may be severely impacted.

Mozilla has warned that the U.S. Department of Justice's proposed remedies in its antitrust case against Google would harm independent browsers and reduce competition in the browser market. The DOJ and several state attorneys general last week filed revised proposed remedies in the U.S. v. Google search case that would prohibit all search payments to browser developers, a move Mozilla says would disproportionately impact smaller players.

"These proposed remedies prohibiting search payments to small and independent browsers miss the bigger picture -- and the people who will suffer most are everyday internet users," said Mark Surman, President of Mozilla. Unlike Apple and Microsoft, which generate revenue from hardware and operating systems, Mozilla relies primarily on search revenue to fund browser development. Mozilla argues that cutting these payments would not solve search dominance but would instead strengthen the position of tech giants.

Mozilla also warned that the proposal threatens its ability to maintain Gecko, one of only three major browser engines alongside Google's Chromium and Apple's WebKit. "If we lose our ability to maintain Gecko, it's game over for an open, independent web," Surman said, noting that even Microsoft abandoned its browser engine in 2019. "If Mozilla is unable to sustain our browser engine, it would severely impact browser engine competition and mean the death of the open web as we know it -- essentially, creating a web where dominant players like Google and Apple, have even more control, not less."

Firefox serves 27 million monthly active users in the U.S. and nearly 205 million globally.

A critical root certificate expiring on March 14, 2025 will disable extensions and potentially break DRM-dependent streaming services for Firefox users running outdated browsers. Users must update to at least Firefox 128 or ESR 115.13+ to maintain functionality across Windows, macOS, Linux, and Android platforms.

The expiration additionally compromises security infrastructure, including blocklists for malicious add-ons, SSL certificate revocation lists, and password breach notifications. Even those on legacy operating systems (Windows 7/8/8.1, macOS 10.12â"10.14) must update to minimum ESR 115.13+.

An anonymous reader quotes a report from 9to5Linux: Mozilla published today the final build of the Firefox 136 open-source web browser for all supported platforms ahead of the March 4th, 2025, official release date, so it's time to take a look at the new features and changes. Highlights of Firefox 136 include official Linux binary packages for the AArch64 (ARM64) architecture, hardware video decoding for AMD GPUs on Linux systems, a new HTTPS-First behavior for upgrading page loads to HTTPS, and Smartblock Embeds for selectively unblocking certain social media embeds blocked in the ETP Strict and Private Browsing modes.

Firefox 136 is available for download for 32-bit, 64-bit, and AArch64 (ARM64) Linux systems right now from Mozilla's FTP server. As mentioned before, Mozilla plans to officially release Firefox 136 tomorrow, March 4th, 2025, when it will roll out as an OTA (Over-the-Air) update to macOS and Windows users. Here's a list of the general features available in this release:

- Vertical Tabs Layout
- New Browser Layout Section
- PNG Copy Support
- HTTPS-First Behavior
- Smartblock Embeds
- Solo AI Link
- Expanded Data Collection & Use Settings
- Weather Forecast on New Tab Page
- Address Autofill Expansion

A full list of changes can be found here.