Firefox Vulnerability Allows Tor User Fingerprinting

The newly disclosed CVE‑2026‑6770 targets the IndexedDB storage engine, a component many web applications use for offline data. By exposing the deterministic order of internal UUID mappings, the bug creates a fingerprint that remains constant for the lifetime of a browser process. Unlike cookies or local storage, this identifier survives private browsing windows, allowing trackers to correlate activity across unrelated sites without user consent. The technical nuance lies in the fact that the ordering is not randomized per site, making it a reliable signal for malicious actors.

For Tor users, the vulnerability is especially alarming. Tor Browser’s New Identity feature is designed to reset all session state, clearing cookies, caches, and network connections to prevent correlation attacks. However, the stable IndexedDB identifier persists within the same process, effectively bridging the isolation gap that New Identity promises. Threat actors could exploit this to de‑anonymize users, linking visits to hidden services or political forums back to a single browser instance. The issue underscores a broader challenge: even hardened anonymity tools can inherit systemic flaws from their upstream browsers.

Mozilla responded by releasing Firefox 150, assigning the issue a medium severity rating and describing it as an “other issue in the Storage: IndexedDB component.” The patch randomizes the database name ordering, breaking the fingerprinting chain. The Tor Project quickly incorporated the fix into Tor Browser 15.0.10, demonstrating coordinated security stewardship. Users should update immediately and consider restarting the browser entirely after each session to clear any residual identifiers. The episode highlights the importance of rapid patch deployment and continuous auditing of privacy‑critical code paths in browsers that serve as the foundation for anonymity platforms.