Mozilla has released Firefox 148, introducing a long-promised centralized AI Controls panel that allows users to fully disable or granularly manage artificial intelligence features in the browser.
The update also ships critical security fixes and debuts a new standardized web API designed to reduce cross-site scripting (XSS) vulnerabilities.
As previously outlined in early February, the new version adds a dedicated “AI Controls” section in the browser’s Settings, enabling users to block all AI-enhanced features globally or toggle individual capabilities on and off.
The move follows commitments made in December 2025 by Mozilla’s CEO, Anthony Enzor-DeMeo, who outlined a roadmap for integrating generative AI into Firefox while maintaining strict user consent and transparency. At the time, Enzor-DeMeo emphasized that AI features would remain optional and controllable, a promise that materialized with version 148.
From the new AI Controls panel, users can enable or disable features such as built-in translations, AI-powered tab grouping suggestions, link previews that summarize pages before opening, automatic alt-text generation for images in PDFs, and sidebar chatbot integrations with services like ChatGPT, Claude, Microsoft Copilot, Google Gemini, and Mistral’s Le Chat.
A global “Block AI enhancements” switch disables all current and future generative AI features. Importantly, preferences persist across browser updates, reducing the risk that AI tools will be silently re-enabled after major upgrades.
Beyond AI, Firefox 148 improves screen reader support for mathematical formulas embedded in PDFs, strengthening accessibility for visually impaired users in academic and technical contexts. Additionally, Firefox Backup is now available on Windows 10 even for users who enable “Clear history when Firefox closes,” with backups excluding any data configured for automatic deletion.
Goodbye innerHTML, hello setHTML()
Firefox 148 is also the first browser to ship the standardized Sanitizer API, introducing the new setHTML() method as a safer alternative to the widely used innerHTML property.
Cross-site scripting (XSS) attacks, consistently ranked among the most common web vulnerabilities, occur when attackers inject malicious HTML or JavaScript into web pages. The Sanitizer API automatically cleans untrusted HTML before it is inserted into the DOM, removing dangerous elements and attributes by default.
For example, if a developer attempts to inject HTML containing an
High-severity vulnerabilities patched
Firefox 148 also addresses numerous security flaws.
Among the most serious issues fixed are:
- Multiple use-after-free vulnerabilities in the JavaScript Engine and Garbage Collector components (e.g., CVE-2026-2758, CVE-2026-2795), which could potentially allow arbitrary code execution.
- Sandbox escape flaws in the Graphics: WebRender and IndexedDB components (CVE-2026-2760, CVE-2026-2761, CVE-2026-2768), potentially enabling attackers to break out of browser isolation.
- A privilege escalation vulnerability in the Messaging System component (CVE-2026-2777).
- Several memory safety bugs (CVE-2026-2807, CVE-2026-2792, CVE-2026-2793) affecting Firefox 147 and earlier, some showing evidence of memory corruption that could be exploitable.
Mozilla also resolved a high-severity WebRTC boundary condition flaw (CVE-2026-2757) and multiple JavaScript JIT miscompilation issues that could lead to information disclosure or memory corruption.
Users are strongly advised to upgrade immediately to benefit from the fixes. Firefox updates automatically in the background, but users can manually verify they are running version 148 by navigating to Menu > Help > About Firefox, which triggers an update check and applies the patch if available.
If you liked this article, be sure to follow us on X/Twitter and also LinkedIn for more exclusive content.
