Update 'user.js'

user.js

@@ -408,6 +408,7 @@ user_pref("browser.send_pings.require_same_host", true); // defense-in-depth
 // [NOTE] This is just an application level fallback. Disabling IPv6 is best done at an
 // OS/network level, and/or configured properly in VPN setups. If you are not masking your IP,
 // then this won't make much difference. If you are masking your IP, then it can only help.
+// [NOTE] PHP defaults to IPv6 with "localhost". Use "php -S 127.0.0.1:PORT"
 // [TEST] https://ipleak.org/
 // https://github.com/arkenfox/user.js/issues/437#issuecomment-403740626
 // https://www.internetsociety.org/tag/ipv6-security/ ***/
@@ -1123,7 +1124,13 @@ user_pref("javascript.options.asmjs", false);
 // user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] [HIDDEN PREF]
 // -------------------------------------
 // Disable WebAssembly [FF52+] [SETUP-PERF]
-// https://developer.mozilla.org/docs/WebAssembly ***/
+// Vulnerabilities have increasingly been found, including those known and fixed
+// in native programs years ago. WASM has powerful low-level access, making
+// certain attacks (brute-force) and vulnerabilities more possible
+// [STATS] ~0.2% of websites, about half of which are for crytopmining / malvertising
+// https://developer.mozilla.org/docs/WebAssembly
+// https://spectrum.ieee.org/tech-talk/telecom/security/more-worries-over-the-security-of-web-assembly
+// https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes ***/
 user_pref("javascript.options.wasm", false);
 // -------------------------------------
 // Enable (limited but sufficient) window.opener protection [FF65+]