Extraneous Product/Version Combinations in User Agent? (ex: Herring/94.1.8750.51, OpenWave/96.4.6033.34)

Recently we have been seeing a very small fraction of requests from Firefox with extraneous product/version combinations in the User-Agent header as well as in navigator.userAgent. They do not appear to be concentrated in a particular part of the world, and we see requests coming from IPs within residential ISP space.

These random product/version combinations take the form <Label> /XXX.X.XXXX.X appended to the end of an expected firefox user agent, for example:

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0 OpenWave/96.4.8603.4

The labels that we know of are:

  • Agency
  • AtContent
  • Config
  • GLS
  • Herring
  • LikeWise
  • OpenWave
  • Trailer
  • Unique
  • Viewer

A cursory google search for each of the different labels doesn’t bring up any mention of development chatter, or really any mention of this phenomenon at all. However, if you look at a few SEO junk sites listing common User Agent patterns, you can see some of these weird product/version patterns appear, ex: https://whatmyuseragent.com/browser/ff/firefox/103 - meaning that this isn’t happening on a few sites, this is likely happening across the broader internet.

From an external perspective, this could be some smoke test of UA sniffers, similar to TLS GREASE or User-Agent Client Hinting GREASE, but there’s no discussion of this anywhere that I can find. So my question is:

Is this an effort by Mozilla/Firefox Devs?

We’re mainly interested in finding out where this odd phenomenon is coming from, whether it’s from a browser-based experiment, from some strange extension, or from a specific actor.

In some cases, this might be caused by Avast AntiTrack or AVG AntiTrack or other security software or proxies. Add-ons might also be implicated.