And for the masochists: https://iase.disa.mil/stigs/Pages/a-z.aspx

Crikey, look at that mess:

Upgrade the version of the browser to an approved version by obtaining software from the vendor or other trusted source. Method 1: View the following registry key: HKLM\Software\Mozilla\Mozilla Firefox\CurrentVersion Method 2: Search for the firefox.exe file using the search feature of the operating system. Examine the files properties for the product version (not the file version. For Windows OS, determine the version of the file by examining navigating to Properties/Version/Product Version. Examine for all instances of firefox.exe that are present on the endpoint. Criteria: If the version number of the firefox.exe file is less than 50.1.x (or ESR 45.7.x), this is a finding.

How about clicking on "About Firefox" in the menu? "Other trusted source" - like softonic, yes?

As someone who has had to implement STIG, that is not a realistic method. This stuff is implemented via automation over hundreds of nodes at a time, and having to click through anything in automation is slow and error prone.

STIG itself is just a fancy check-list. Ideally, real world implementation is automated via something like OpenSCAP.

> How about clicking on "About Firefox" in the menu?

Perhaps they don’t trust it enough to execute it until they know it’s the latest version and was obtained from a trustworthy source.

At least the version there is baked into the (signed) .exe while the registry information can be edited independently.

Should there be any difference between RedHat and CentOS?

I would use the Red Hat guide because it is comprehensive.