Firefox suspicious subprocess (turned out to be legitimate FF behavior)

Solution 1:

This is related to multi-process feature of Firefox, go through the following official link.

https://support.mozilla.org/en-US/questions/1147868#answer-938004

There are many other Linux threads on this, with same output as you posted, all related to multi-process feature of Firefox.

Solution 2:

Recent versions of Firefox are running multi-process instead of a single process.

The multi-process is applicable to all Firefox users since Firefox 54 was debuted in June 2017. The Multiprocess Firefox documentation describes that Firefox run the browser UI in a separate process from web content. As a result, users may see the "suspicious subprocess" in process list.

Many end users seem to be concerned with the cryptic part of the subprocess, as raised in this forum on mozillaZine and this forum thread on Mozilla Support; just too many to be quoted here.

Direct answers

For me it looks like exploit/malware (Is the subprocess malicious?)

No, recent versions of Firefox behaviour is like that.

Or at least there is something to hide (Is there something to hide?)

No. End users may see differently than what developers see; very few users may have noticed that there is nothing hidden.

How can be sure

There are two reasons that we can be sure:

  1. The fact that the developers do not bother to explain the detail of the subprocess, is the reason we can be sure that is not malicious. At least, I have not found such detail to this date.

  2. This partial answer by TT Farreo at Stack Overflow in late-2017 has hinted that the cryptic part of subprocess is related to the list of blacklisted characters by Mozilla.

From the partial answer at Stack Overflow:

The list of weird looking characters seems to correspond to the blacklisted characters listed in http://kb.mozillazine.org/Network.IDN.blacklist_chars [...]

Now we can make sense of the strange characters:

  • See those fraction characters? Checked.
  • See those binary block characters? Checked.
  • See those invisible spaces? Checked.
  • See the squished unit of radian thingy? Checked.
  • See the question mark in black diamond character? Checked.

The answer at Stack Overflow has also included a link to the source code of content process used by Firefox. End users usually would not dive into that much detail, which is why this answer at Ask Ubuntu would be good enough as it is.

The subprocess is normal, that is all matters.