Mozilla Firefox Adds Free Built‑In VPN with 50 GB Monthly Limit
What Happened — Mozilla released Firefox 149, introducing a free, browser‑only VPN that provides up to 50 GB of data per month for users with a Mozilla account. The VPN routes only browser traffic through a U.S.–based secure proxy and can be limited to up to five specific sites.
Why It Matters for TPRM —
- Introduces a new data‑processing service (proxy logs) that third‑party risk teams must assess for privacy and compliance.
- Shifts part of the organization’s network traffic to a third‑party proxy, creating a potential attack surface.
- May affect contractual obligations around data residency and cross‑border transfers for vendors that rely on Firefox for web‑based workflows.
Who Is Affected — Enterprises that standardize on Firefox for employee web access, especially those in regulated sectors (healthcare, finance, government) and any organization that enforces strict data‑location policies.
Recommended Actions —
- Review Mozilla’s VPN privacy policy and data‑retention terms.
- Update vendor risk questionnaires to capture proxy‑service controls (encryption, logging, jurisdiction).
- Test the VPN’s impact on internal web‑applications, especially single‑sign‑on (SSO) and MFA flows.
- Consider whether the built‑in VPN aligns with your organization’s acceptable use and data‑transfer policies.
Technical Notes — The VPN is a secure proxy, not a full‑system VPN; it logs connection success/failure and data usage per day. Service is currently limited to the U.S., UK, Germany, and France, with no timeline for broader rollout. Firefox 149 also patches 46 high‑severity vulnerabilities (UAF, out‑of‑bounds, JIT, sandbox escapes). Source: BleepingComputer