Researchers have found a vulnerability that might permit risk actors to fingerprint Firefox customers, even in Non-public Shopping mode. The problem additionally impacts the Tor anonymity browser, which is predicated on Firefox.
The vulnerability, tracked as CVE-2026-6770, is said to the IndexedDB browser API, which is used for storing structured knowledge on the shopper facet.
Firefox shops IndexedDB database names utilizing inner UUID mappings, and when an internet site lists these databases, the order they arrive again in stays the identical throughout totally different websites whereas the identical browser course of is operating.
[ Read: Claude Mythos Finds 271 Firefox Vulnerabilities ]
This permits unrelated websites to independently observe the identical ordering and use it to hyperlink a consumer’s exercise throughout domains with none cookies or shared storage. The fingerprint persists throughout reloads and new personal periods, till the browser is absolutely restarted.
Menace actors might exploit this to fingerprint customers in Firefox’s Non-public Shopping mode and even when Tor’s New Identification characteristic is used.
The New Identification characteristic in Tor is particularly designed to stop a consumer’s exercise throughout totally different websites from being linked by clearing searching historical past, cookies, and lively connections.
“In Tor Browser, the secure identifier successfully defeats Tor Browser’s ‘New Identification’ isolation inside a operating browser course of, permitting web sites to hyperlink periods which are anticipated to be absolutely remoted from each other,” the researchers defined.
Mozilla patched CVE-2026-6770 with the discharge of Firefox 150. The group assigned the flaw a ‘medium severity’ ranking and described it solely as “different difficulty within the Storage: IndexedDB element”.
The Tor Mission has additionally adopted the patch, rolling it out to customers final week with the discharge of Tor Browser 15.0.10.
