"Why is Firefox storing Google cookies even if I do not visit any website?"
2017-03-29

Files:

    firefox.pcapng.gz       Packet capture
    firefox.keys            SSLKEYLOGFILE output

Configure the SSL/TLS keylog file:

    wireshark -ossl.keylog_file:firefox.keys -r firefox.pcapng.gz

Use filters like "dns or http or http2" to see interesting traffic. Pay
attention to the Google Safebrowsing requests, it sends a cookie in a response
which is then carried to further requests.

See for example frame 1498 where you get a cookie in a response to the request
from frame 1487:

Frame 1487: 398 bytes on wire (3184 bits), 398 bytes captured (3184 bits) on interface 0
Ethernet II, Src: 22:ee:b3:e4:61:ac (22:ee:b3:e4:61:ac), Dst: e6:63:f7:66:51:c6 (e6:63:f7:66:51:c6)
Internet Protocol Version 4, Src: 10.9.0.2, Dst: 172.217.17.46
Transmission Control Protocol, Src Port: 45764 (45764), Dst Port: 443 (443), Seq: 461, Ack: 4576, Len: 332
Secure Sockets Layer
HyperText Transfer Protocol 2
    Stream: HEADERS, Stream ID: 13, Length 281
        Length: 281
        Type: HEADERS (1)
        Flags: 0x24
        0... .... .... .... .... .... .... .... = Reserved: 0x00000000
        .000 0000 0000 0000 0000 0000 0000 1101 = Stream Identifier: 13
        [Pad Length: 0]
        0... .... .... .... .... .... .... .... = Exclusive: False
        .000 0000 0000 0000 0000 0000 0000 1011 = Stream Dependency: 11
        Weight: 21
        [Weight real: 22]
        Header Block Fragment: 8305d8610394b1d87f0835533121fc5541c7223fc25062d4...
        [Header Length: 553]
        [Header Count: 12]
        Header: :method: POST
        Header: :path: /safebrowsing/downloads?client=navclient-auto-ffox&appver=52.0&pver=2.2&key=AIzaSyDwr302FpOSkGRpLlUpPThNTDPbXcIn_FM
        Header: :authority: safebrowsing.google.com
        Header: :scheme: https
        Header: user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
        Header: accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        Header: accept-language: en-US,en;q=0.5
        Header: accept-encoding: gzip, deflate, br
        Header: content-length: 85
        Header: content-type: text/plain
        Header: pragma: no-cache
        Header: cache-control: no-cache
        Padding: <MISSING>
    Stream: WINDOW_UPDATE, Stream ID: 13, Length 4
        Length: 4
        Type: WINDOW_UPDATE (8)
        Flags: 0x00
        0... .... .... .... .... .... .... .... = Reserved: 0x00000000
        .000 0000 0000 0000 0000 0000 0000 1101 = Stream Identifier: 13
        0... .... .... .... .... .... .... .... = Reserved: 0x00000000
        .000 0000 1011 1110 0000 0000 0000 0000 = Window Size Increment: 12451840

Frame 1498: 588 bytes on wire (4704 bits), 588 bytes captured (4704 bits) on interface 0
Ethernet II, Src: e6:63:f7:66:51:c6 (e6:63:f7:66:51:c6), Dst: 22:ee:b3:e4:61:ac (22:ee:b3:e4:61:ac)
Internet Protocol Version 4, Src: 172.217.17.46, Dst: 10.9.0.2
Transmission Control Protocol, Src Port: 443 (443), Dst Port: 45764 (45764), Seq: 4614, Ack: 954, Len: 522
Secure Sockets Layer
HyperText Transfer Protocol 2
    Stream: HEADERS, Stream ID: 13, Length 484
        Length: 484
        Type: HEADERS (1)
        Flags: 0x04
        0... .... .... .... .... .... .... .... = Reserved: 0x00000000
        .000 0000 0000 0000 0000 0000 0000 1101 = Stream Identifier: 13
        [Pad Length: 0]
        Header Block Fragment: 3fe15f885f9e1d75d0620d263d4c77aa45e639e6a0aba072...
        [Header Length: 765]
        [Header Count: 14]
        Header table size update
        Header: :status: 200
        Header: content-type: application/vnd.google.safebrowsing-update
        Header: p3p: CP="This is not a P3P policy! See https://www.google.com/support/accounts/answer/151657?hl=en for more info."
        Header: x-content-type-options: nosniff
        Header: date: Wed, 29 Mar 2017 11:59:45 GMT
        Header: server: HTTP server (unknown)
        Header: content-length: 32692
        Header: x-xss-protection: 1; mode=block
        Header: x-frame-options: SAMEORIGIN
        Header: set-cookie: NID=100=gYerkO8CRT8gj6Un-WjLz43uAV-OX4_kkSunetnzY12NkvznirA7USkXJ1rhWnYoJFKMBkX3TokHhpRglijb5-hpOO2A9ToIQFaWf61eZQRobAT6LGK444yQvZFrojE6; expires=Thu, 28-Sep-2017 11:59:45 GMT; path=/; domain=.google.com; HttpOnly
        Header: alt-svc: quic=":443"; ma=2592000; v="37,36,35"
        Header: expires: Wed, 29 Mar 2017 11:59:45 GMT
        Header: cache-control: private
        Padding: <MISSING>

This cookie is subsequently used for requests in frame 1547, 1631, etc.:

Frame 1547: 745 bytes on wire (5960 bits), 745 bytes captured (5960 bits) on interface 0
Ethernet II, Src: 22:ee:b3:e4:61:ac (22:ee:b3:e4:61:ac), Dst: e6:63:f7:66:51:c6 (e6:63:f7:66:51:c6)
Internet Protocol Version 4, Src: 10.9.0.2, Dst: 172.217.17.46
Transmission Control Protocol, Src Port: 45766 (45766), Dst Port: 443 (443), Seq: 467, Ack: 4215, Len: 679
Secure Sockets Layer
HyperText Transfer Protocol 2
    Stream: HEADERS, Stream ID: 13, Length 628
        Length: 628
        Type: HEADERS (1)
        Flags: 0x25
        0... .... .... .... .... .... .... .... = Reserved: 0x00000000
        .000 0000 0000 0000 0000 0000 0000 1101 = Stream Identifier: 13
        [Pad Length: 0]
        0... .... .... .... .... .... .... .... = Exclusive: False
        .000 0000 0000 0000 0000 0000 0000 1011 = Stream Dependency: 11
        Weight: 21
        [Weight real: 22]
        Header Block Fragment: 8205ffcc01610394b1d87f08355331648c5e9f8d5189fab3...
        [Header Length: 947]
        [Header Count: 11]
        Header: :method: GET
        Header: :path: /safebrowsing/rd/ChVnb29nLWJhZGJpbnVybC1zaGF2YXI4AEACSgwIARDU5AcY-eQHIAFKDAgBEPDjBxjS5AcgAUoMCAEQ4-MHGO7jByABSgwIARCD4wcY4eMHIAFKDAgBEOfiBxiB4wcgAUoMCAEQuOIHGOXiByABSgwIARCU4gcYtuIHIAFKDAgBEN7hBxiS4gcgAUoMCAEQuuEHGNzhByABSgw
        Header: :authority: safebrowsing-cache.google.com
        Header: :scheme: https
        Header: user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
        Header: accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        Header: accept-language: en-US,en;q=0.5
        Header: accept-encoding: gzip, deflate, br
        Header: cookie: NID=100=gYerkO8CRT8gj6Un-WjLz43uAV-OX4_kkSunetnzY12NkvznirA7USkXJ1rhWnYoJFKMBkX3TokHhpRglijb5-hpOO2A9ToIQFaWf61eZQRobAT6LGK444yQvZFrojE6
        Header: pragma: no-cache
        Header: cache-control: no-cache
        Padding: <MISSING>
    Stream: WINDOW_UPDATE, Stream ID: 13, Length 4
        Length: 4
        Type: WINDOW_UPDATE (8)
        Flags: 0x00
        0... .... .... .... .... .... .... .... = Reserved: 0x00000000
        .000 0000 0000 0000 0000 0000 0000 1101 = Stream Identifier: 13
        0... .... .... .... .... .... .... .... = Reserved: 0x00000000
        .000 0000 1011 1110 0000 0000 0000 0000 = Window Size Increment: 12451840

Frame 1631: 1387 bytes on wire (11096 bits), 1387 bytes captured (11096 bits) on interface 0
Ethernet II, Src: 22:ee:b3:e4:61:ac (22:ee:b3:e4:61:ac), Dst: e6:63:f7:66:51:c6 (e6:63:f7:66:51:c6)
Internet Protocol Version 4, Src: 10.9.0.2, Dst: 172.217.17.46
Transmission Control Protocol, Src Port: 45766 (45766), Dst Port: 443 (443), Seq: 1230, Ack: 170279, Len: 1321
Secure Sockets Layer
HyperText Transfer Protocol 2
    Stream: HEADERS, Stream ID: 15, Length 1270
        Length: 1270
        Type: HEADERS (1)
        Flags: 0x25
        0... .... .... .... .... .... .... .... = Reserved: 0x00000000
        .000 0000 0000 0000 0000 0000 0000 1111 = Stream Identifier: 15
        [Pad Length: 0]
        0... .... .... .... .... .... .... .... = Exclusive: False
        .000 0000 0000 0000 0000 0000 0000 1011 = Stream Dependency: 11
        Weight: 21
        [Weight real: 22]
        Header Block Fragment: 8205ffe408610394b1d87f08355331648c5e9f8d5189fab3...
        [Header Length: 2086]
        [Header Count: 11]
        Header: :method: GET
        Header: :path: /safebrowsing/rd/ChVnb29nLWJhZGJpbnVybC1zaGF2YXI4AEACSgwIARD43gcYgt8HIAFKDAgBEPDdBxj23gcgAUoMCAEQ0d0HGO7dByABSgwIARC63QcYz90HIAFKDAgBEKLdBxi43QcgAUoMCAEQ2twHGKDdByABSgwIARCa3AcY2NwHIAFKDAgBEI7cBxiX3AcgAUoMCAEQhdwHGIzcByABSgw
        Header: :authority: safebrowsing-cache.google.com
        Header: :scheme: https
        Header: user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
        Header: accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        Header: accept-language: en-US,en;q=0.5
        Header: accept-encoding: gzip, deflate, br
        Header: cookie: NID=100=gYerkO8CRT8gj6Un-WjLz43uAV-OX4_kkSunetnzY12NkvznirA7USkXJ1rhWnYoJFKMBkX3TokHhpRglijb5-hpOO2A9ToIQFaWf61eZQRobAT6LGK444yQvZFrojE6
        Header: pragma: no-cache
        Header: cache-control: no-cache
        Padding: <MISSING>
    Stream: WINDOW_UPDATE, Stream ID: 15, Length 4
        Length: 4
        Type: WINDOW_UPDATE (8)
        Flags: 0x00
        0... .... .... .... .... .... .... .... = Reserved: 0x00000000
        .000 0000 0000 0000 0000 0000 0000 1111 = Stream Identifier: 15
        0... .... .... .... .... .... .... .... = Reserved: 0x00000000
        .000 0000 1011 1110 0000 0000 0000 0000 = Window Size Increment: 12451840

Note: if you want to reproduce this yourself, this is what I did:

1. Create separate network namespace to capture all traffic from Firefox.
2. Start the capture for that network.
3. Start Firefox with keylogging enabled.
4. Quit Firefox, stop the capture.

Or more concretely:

    $ git clone https://github.com/Lekensteyn/netns.git ~/netns
    $ sudo ~/netns/netns 0 start
    $ wireshark -i veth0 -p -k -ossl.keylog_file:firefox.keys &
    $ sudo ~/netns/netns 0 exec
    (netns0)$ mkdir prof
    (netns0)$ SSLKEYLOGFILE=firefox.keys firefox -no-remote -profile prof

Tested with:
Arch Linux x86_64
Firefox 52.0.1-2
dumpcap (from wireshark-cli 2.0.5-1)
Wireshark v2.3.0rc0-2902-g8efd42c4aa