@gabi @sally @teto >You should also disable JavaScript, do not load custom fonts, enable tracking protection, isolate requests to first-party domains, spoof referers, and block third-party requests. Make sure Geolocation and WebGL are disabled.
Yes, that's what safest mode does - manually setting those things would make you uniquely identifiable.

You need to also set javascript.enabled=false in about:config, otherwise JavaScript sometimes still gets run.

>HTML and CSS can still be exploited in browser-targeted attacks.
As far as I can tell, all of such attacks have needed to leverage JavaScript, as it's too difficult to convince the user to follow the exact sequence of steps required to trigger the attack otherwise.