Our banking app had just been subjected to penetration testing. One of the findings were, if you do a "about:cache" in Mozilla then choose "List Cache entries", you can see all the caches from the app. The issue is we cannot prevent this even if we already have set the ff. in the apache web server httpd.config file (see below)
Cache-Control: no-cache, no-store, private, must-revalidate, max-age=0
Pragma: no-cache
Expires: 0
Vary: *
Is there anything else we need to do?
This is a problem with the vendor. The correct headers are in place, and that is by far the industry standard way to remediate and test for improper cache controls.
It seems like you have already done your part to set proper cache controls. If Firefox still caches it that is a bug/quirk/feature of the browser. I would push back and ask the vendor for guidance if they insist on testing this way. I have a feeling they will close the issue.