

This is apparently an old issue that somehow got resurfaced again (pull).
tl;dr dev had enabled remote debugging back when the project was new to make debugging easier, apparently forgot about it, someone noticed and reported it, dev apologized and said he was learning and won’t do it again:
Maybe I underestimated the actual risk of this? Yes, but again, it was probably on the first month of development, we learn from our mistakes so we can now provide the most private and secure experience we can. Thanks
This. I personally avoid random firefox forks because there is such a large surface to make mistakes or hide backdoors. If people want a private, hardened firefox, Mullvad’s fork (or Tor) is the best option. If you only want to disable telemetry, you can use betterfox user.js with Firefox.