A Firefox IndexedDB vulnerability discovered by Fingerprint.com researchers exposed a fundamental flaw in how Firefox handles private browsing isolation, allowing websites to track users’ private Tor identities even after clearing data or activating Tor’s New Identity feature. The vulnerability, assigned CVE-2026-6770, affected all Firefox-based browsers including Firefox Private Browsing and Tor Browser, persisting across sessions within the same process lifetime.
Key Takeaways
- Firefox IndexedDB vulnerability allowed cross-origin tracking via database ordering, surviving Private Mode and Tor New Identity
- Websites created IndexedDB databases and used deterministic entry ordering as a stable, high-entropy fingerprint
- Identifier persisted in Firefox Private Browsing if the browser process remained running, even after closing all private windows
- In Tor Browser, the flaw bypassed New Identity, linking user sessions across the intended privacy boundary
- Mozilla and Tor Project patched CVE-2026-6770 on April 21, 2026, in Firefox 150 and Tor Browser 15.0.10
How the Firefox IndexedDB vulnerability worked
The Firefox IndexedDB vulnerability exploited a flaw in how Gecko, Firefox’s rendering engine, managed IndexedDB databases in private mode. Websites would create a series of IndexedDB databases with specific names, then inspect the order in which those databases were returned from the system. That ordering—regardless of the database contents—created a unique, high-entropy fingerprint stable for the entire browser process lifetime. The identifier was process-scoped rather than origin-scoped, meaning unrelated websites visiting the same browser could correlate user activity across origins during the same runtime session.
The root cause lay in Gecko’s IndexedDB implementation in private mode: the system mapped database names to UUID filenames using a global cross-origin hash table, which was cleared only on full browser restart. This meant that even if a user closed all private windows, deleted browsing history, and cleared cookies, the underlying process-level identifier remained intact. A website revisiting the user in a fresh session could recreate the same set of IndexedDB databases and observe the same ordering, instantly recognizing the returning user.
Why this destroyed Tor Browser’s New Identity feature
Tor Browser’s New Identity function is designed to prevent subsequent browser activity from being linkable to prior sessions. When activated, it clears cookies, browsing history, and initiates new Tor circuits—a complete reset intended to sever all connection to previous activity. The Firefox IndexedDB vulnerability rendered this protection useless. A user could activate New Identity, receive a new Tor circuit and IP address, but the underlying IndexedDB process identifier would remain unchanged. Any website that had fingerprinted the user before New Identity activation could match the post-activation session to the pre-activation session, completely defeating the unlinkability guarantee.
This was not a minor edge case. Tor users explicitly choose New Identity to prevent tracking across sessions. The vulnerability meant that choice offered no actual protection against IndexedDB-based fingerprinting—a catastrophic failure for a privacy-focused browser.
Firefox IndexedDB vulnerability in Private Browsing mode
Firefox Private Browsing mode also suffered from the same flaw, though the mechanics differed slightly. In Private Browsing, Firefox normally isolates data from regular browsing and deletes all private data when the user closes the private window. However, the IndexedDB process identifier persisted as long as the Firefox process remained running. A user could open a private window, visit websites that fingerprinted them via IndexedDB, close the private window (clearing all stored data), then open another private window in the same Firefox process. The websites would recognize the returning user via the unchanged process identifier, even though all cookies and storage had been deleted.
The vulnerability only truly disappeared when the user completely closed Firefox and restarted the browser, forcing a new process to spawn. This meant that Private Browsing offered weaker isolation than users expected—a session-level identifier leaked across what should have been isolated private sessions.
The patch and what changed
Mozilla and the Tor Project released fixes on April 21, 2026. Firefox 150 and Firefox ESR 140.10.0 addressed the root cause by changing how Gecko manages IndexedDB database ordering in private mode. Tor Browser 15.0.10 incorporated the same fix. The patch eliminated the global cross-origin hash table that had created the stable process-level identifier, ensuring that database ordering became unpredictable and therefore unsuitable as a fingerprinting vector.
The fix required changes to Gecko’s core IndexedDB implementation—not a simple patch but a structural fix addressing the architectural flaw that had enabled the vulnerability in the first place.
Why this matters beyond Firefox
The Firefox IndexedDB vulnerability exposed a category of tracking technique that most users and many security researchers had not considered. IndexedDB is a legitimate web API designed for offline storage and performance. It is not inherently malicious. Yet by exploiting the deterministic ordering of database entries—a side effect of how the system managed internal data structures—attackers could extract a stable, process-lifetime identifier without users knowing. This vulnerability demonstrated that even well-intentioned browser APIs can leak fingerprinting signals if their implementation details are not carefully audited for privacy.
All Firefox-based browsers inherited this vulnerability, including privacy-focused derivatives. Only a full process restart eliminated the identifier, placing the burden on users to understand a technical detail most would never encounter.
Did this vulnerability affect Chrome or other browsers?
The Firefox IndexedDB vulnerability was specific to Gecko’s IndexedDB implementation and did not affect Chrome, Safari, or other non-Firefox-based browsers. However, this does not mean other browsers lack IndexedDB-based fingerprinting risks—it only means this specific vulnerability was unique to Firefox’s architecture.
How long was the vulnerability active?
The research brief does not specify when this vulnerability was first introduced or how long it existed in the wild before discovery. Fingerprint.com responsibly disclosed the flaw to Mozilla and the Tor Project, and patches were released on April 21, 2026. Users running Firefox 150 or later, or Tor Browser 15.0.10 or later, are protected.
Should I update Firefox or Tor Browser immediately?
Yes. If you use Firefox Private Browsing or Tor Browser, updating to the patched versions (Firefox 150, Tor Browser 15.0.10) eliminates the IndexedDB tracking vector. The vulnerability allowed websites to recognize you across sessions and across origins—a serious privacy breach for anyone relying on these browsers for anonymity.
The Firefox IndexedDB vulnerability demonstrated that privacy is not just about what data you store—it is about what data the browser leaks through its own internal mechanisms. Even after clearing cookies and activating New Identity, a single implementation flaw could render those protections meaningless. The patch restores the isolation guarantees that Tor and Private Browsing users depend on, but it is a reminder that privacy tools require constant scrutiny and that browser vendors must audit not just features but the subtle side effects of how those features work under the hood.
This article was written with AI assistance and editorially reviewed.
Source: TechRadar
