AFAIK Firefox does not share the extensions it uses; Chrome does.
Using these tools [1] [2] [3] suggest I'm most profileable by the fact I use macOS. Which I can hide in the useragent string, but is then still detected.
It's been awhile since I looked into it. From the last study I know on the topic [1]: It is much easier to fingerprint Chrome, however Firefox is susceptible to extension fingerprinting techniques. To be fair, these techniques may have been addressed since publishing - I haven't checked.
It may or may not be worth considering depending on your threat model. There may also be novel techniques published since.
Edit: It looks like amiunique is detecting extensions with Plugin Detector [2] which claims to work on Firefox, and at the very least can detect Adblock (per amiunique).
The threat model is, IMO, pretty clearly defined. If the threat is 3 letter agencies, we'd be trying to fingerprint Tor Browser, and we'd be using Tor (with 2 use cases: one on *.onion only, other one on clearnet via exit nodes). So what we are trying to defend from, is fingerprinting by commercial entities such as FAANG.
I don't use any special plugins; only the default ones (which are a practical, necessary evil). If I were to remove/disable the default plugins, that'd increase my fingerprint.
I've been trying to let websites tell me which extensions I use in Firefox (remember we are using Quantum since Firefox 57, released in November 2017 which changed the way extensions work). The paper is from CODASPY’17, March 22-24, 2017. I haven't been able to reproduce detection of extensions. Keep in mind also, that I use some precautions. I block canvas via CanvasBlocker. I block Javascript via uMatrix. I even block domains via DNS (Pi-Hole) and uBlock Origin.
If I want to be tracked less easily I'd need to not browse fullscreen, I'd need to not use a native Mac browser but run a Windows or Linux VM or a remote SSH connection (which, quite frankly, is quite possible in a terminal these days as per Browsh [1]), and I'd need to use only the default fonts (because I am using specific fonts in ~/Library/Fonts). Some of these fonts there are temporarily or backup fonts. I will remove these to a temporary directory, and load them ad-hoc.
The paper was only the one I remembered off the top of my head. There may be more recent work, more relative to Quantum (although the paper does look at WebExtensions), since then. I also personally like to assume that published research papers are a step behind what is happening in the wild.
But, you obviously have a good grasp on what is in your threat model and what isn't. My original comment was geared more towards the people who pile on privacy extensions, sometimes at random, who are under the impression that more extensions always equals more protection.
Who would be doing the fingerprinting in that parent post situation? I know very little about fingerprinting. If you're blocking scripting and cookies from most (or maybe all in parent's case?) third parties, are they still able to fingerprint you? If yes, how do they do that?
Or would it be the first-party fingerprinting you and sharing that with their third-parties?
I would argue that this is not really an issue;
99,9% of users are not trying to hide from the NSA... and i seriously doubt whether common websites use such a sophisticated fingerprinting technique to show you a relative ad.
