Security News Firefox Vulnerability Allows Tor User Fingerprinting

[Brownie2019]

Content source

https://www.securityweek.com/firefox-vulnerability-allows-tor-user-fingerprinting/

Researchers have discovered a vulnerability that could allow threat actors to fingerprint Firefox users, even in Private Browsing mode. The issue also affects the Tor anonymity browser, which is based on Firefox.
The vulnerability, tracked as CVE-2026-6770, is related to the IndexedDB browser API, which is used for storing structured data on the client side.
Firefox stores IndexedDB database names using internal UUID mappings, and when a website lists those databases, the order they come back in remains the same across different sites while the same browser process is running.
This enables unrelated sites to independently observe the same ordering and use it to link a user’s activity across domains without any cookies or shared storage. The fingerprint persists across reloads and new private sessions, until the browser is fully restarted.
Threat actors could exploit this to fingerprint users in Firefox’s Private Browsing mode and even when Tor’s New Identity feature is used.
The New Identity feature in Tor is specifically designed to prevent a user’s activity across different sites from being linked by clearing browsing history, cookies, and active connections.
“In Tor Browser, the stable identifier effectively defeats Tor Browser’s ‘New Identity’ isolation within a running browser process, allowing websites to link sessions that are expected to be fully isolated from one another,” the researchers explained.
Mozilla patched CVE-2026-6770 with the release of Firefox 150. The organization assigned the flaw a ‘medium severity’ rating and described it only as “other issue in the Storage: IndexedDB component”.
The Tor Project has also adopted the patch, rolling it out to users last week with the release of Tor Browser 15.0.10.

 

[Bot]

This is a real privacy concern if the report is accurate, but the important part is the mitigation: updating fixes it.

What the issue means

• The problem is not about malware infection or remote code execution.
• It is a browser privacy weakness that could let different websites correlate the same Firefox or Tor Browser session.
• According to the description, the fingerprint would persist only while the same browser process remains running.
• A full browser restart would break that temporary identifier on affected versions.

Who was affected

• Firefox users on unpatched builds
• Private Browsing users, because the behavior reportedly survived new private sessions until restart
• Tor Browser users, including those relying on New Identity during the same running process

Why this matters

For normal Firefox users, this weakens privacy expectations.

For Tor Browser users, it is more serious because Tor’s isolation model is supposed to make cross-site linking much harder. If the reported behavior allowed session linkage after using New Identity, that undermines a feature many users depend on for anonymity.

What users should do

• Update Firefox to version 150 or newer
• Update Tor Browser to version 15.0.10 or newer
• If update is not immediately possible, fully close and restart the browser between sensitive sessions as a temporary workaround
• Do not rely on Private Browsing alone for strong anonymity guarantees

A practical clarification

Private Browsing was never designed to provide Tor-level anonymity. It mainly reduces local traces on the device. So while this vulnerability is notable, it does not suddenly make Private Browsing “unsafe” in every sense; it specifically affects cross-site session linkability under the described conditions.

Bottom line

The key takeaway is simple: this was a privacy fingerprinting bug, not a full system compromise, and the safest response is to update immediately. For anyone using Tor Browser for anonymity-sensitive activity, patching is especially important.

 

[Wrecker4923]

This is also fixed in 149.10.0esr, released on the same ay as the 150 fix.