Firefox code is not fine. It is 25 years old code, with many stuff bolted on top (multithreading). It does not even have a proper security sandboxing for renderer!
This codebase was underfunded for a very long time! And all rewrites and major refactorings were cancelled!
Nobody embeds Gecko engine anymore. There are good reasons for that!
Because independent engines put pressure on websites to write to the standard, not the (current) dominant implementation.
Otherwise we end up with sites from different eras requiring different engines or browsers. Then browsers have to support all those historical implementations too. And/or more sites break and breaks occur more often. It breeds a huge mess.
Fact! Firefox Security is atrociously behind modern standards and Firefox can only safely be used as a throwaway browser with additional external sand boxing.
How much of that is due to the difference in the amount of attention paid to each code base, do you reckon? If you're a security researcher, spending months of work on a browser with market share of more than 90% makes a lot more sense than on a browser with a market share of 2%, unless you're going after a specific individual who you know for sure uses that specific browser.
Both are giant C++ codebases executing random code of the internet. Of course they are both security nightmares. But Chrome has significant hardening that Firefox lacks [0].
I know, but I was trying to find vulnerabilities that could meaningfully hurt me, and imperfect hardening that hasn't yet/knowingly been exploited isn't super important to me.
I don't have government-funded security researchers out to get me. I hope.
This codebase was underfunded for a very long time! And all rewrites and major refactorings were cancelled!
Nobody embeds Gecko engine anymore. There are good reasons for that!