Firefox 151 Ships PDF Merging, Document Picture-in-Picture, and a 14% Fingerprinting Reduction
Mozilla ships Firefox 151 on May 19, 2026, patching 25 security vulnerabilities and adding PDF merging, Document PiP, Web Serial API, and tighter fingerprinting controls.
Overview
Mozilla released Firefox 151 on May 19, 2026, closing out a development cycle that fixed 2,691 bugs during the nightly phase and 388 uplifts to beta. The release patches 25 security vulnerabilities—4 rated high severity—and delivers a set of user-facing features focused on privacy, file handling, and developer tooling. The official release notes describe the update as shipping a redesigned New Tab page, built-in PDF merging, and a new Document Picture-in-Picture API alongside enhanced fingerprinting protections.
What We Know
Security Patches
Firefox 151’s security advisory MFSA2026-46 documents 25 fixed vulnerabilities. The four high-severity issues are CVE-2026-8945 (sandbox escape), CVE-2026-8946 (incorrect boundary conditions in audio/video codecs), CVE-2026-8947 (use-after-free in DOM bindings), and CVE-2026-8948 (same-origin policy bypass in networking). An additional three memory-safety CVEs—CVE-2026-8973, CVE-2026-8974, and CVE-2026-8975—address bugs in Firefox 150 that showed “evidence of potential exploitation.” The remaining 18 vulnerabilities are rated moderate or low.
Fingerprinting Protection
Firefox 151 strengthens its Standard Enhanced Tracking Protection mode to reduce device identifiability. According to the official release notes, the update reduces unique identifiability “by an average of ~14%, and by ~49% on macOS.” The same update completes the rollout of local network access restrictions to all users, requiring websites to request explicit permission before connecting to localhost or other local network addresses.
Built-in PDF Merging
Firefox’s PDF viewer gains the ability to merge PDF files into a single document, with support for reordering and deleting pages before export. Previously, users had to rely on third-party tools or browser extensions for this task.
Private Browsing Session Clear
A one-click fire icon now appears in the URL bar when in Private Browsing Mode, letting users clear cookies, history, and site data from the current session. The release notes note users can now “instantly clear all data from your current session without closing the entire window”, addressing a long-standing friction point for privacy-conscious users.
Profile Backups on Linux
Local Firefox profile backups, previously limited to Windows, now extend to Linux and macOS. Users can create local backups of their Firefox profile and restore them across platforms, with extensions and themes preserved through the restoration process.
New Tab Redesign
Firefox Home—the browser’s new tab page—has a “fresh, new look and feel” with an updated layout and rounded pill-shaped search bar, a design drawn from Mozilla’s in-progress Nova redesign. The update increases the maximum number of displayable shortcuts to four rows and redesigns the weather widget to show current temperature alongside highs and lows.
Developer Platform Additions
MDN’s release documentation lists several new web platform APIs. The Document Picture-in-Picture API is now enabled on desktop, allowing web apps to open always-on-top windows populated with arbitrary HTML content—targeted at use cases like video conference controls, stock tickers, and media countdowns. The Web Serial API lands on desktop, giving web applications the ability to communicate with microcontrollers and hardware devices including ESP boards, Raspberry Pi Picos, BBC micro:bits, 3D printers, and CNC machines.
On the CSS side, @container rules now support style() queries, letting developers apply conditional styles to child elements based on whether a container matches a given CSS declaration or custom property. The Fullscreen Keyboard Lock API (element.requestFullscreen({ keyboardLock: true })) also ships, preventing the Escape key from exiting fullscreen without a long-press.
Enterprise and Policy Changes
Firefox 151 adds two new enterprise policies: LocalNetworkAccess for controlling how the browser handles requests to localhost and local network addresses, and XSLTEnabled for toggling XSLT processing support. Mozilla has also migrated its enterprise policy documentation to a new dedicated site at firefox-admin-docs.mozilla.org. Firefox 140 is now the current Extended Support Release; Firefox 153 will be the next ESR.
What We Don’t Know
Mozilla has not published telemetry or adoption figures for the fingerprinting protection improvements to date. It is unclear how the Local Network Access restriction policy will affect web applications that legitimately connect to local services—such as developer tooling or media servers—and whether exemption workflows will be straightforward for typical users. The VPN location selection feature ships to “selected countries only” with no published list of supported regions.
Analysis
Firefox 151 is a compact release with no single transformative feature, but its breadth is notable. The simultaneous arrival of PDF merging and Document Picture-in-Picture brings the browser closer to feature parity with Chrome in two categories where users have historically turned to extensions. The fingerprinting reduction—particularly the 49% figure on macOS—is among the more aggressive default-tracking-protection improvements in recent Firefox history, landing without requiring users to change settings. The 25-CVE security advisory, including four high-severity patches and memory safety fixes with exploitation evidence, makes this a release where prompt updating matters. What Train Is It Now’s release tracking shows 2,691 bugs addressed during the nightly cycle, suggesting sustained engineering investment even as Mozilla navigates strategic shifts around its AI features and subscription offerings.