FIREFOX bug CVE-2026-6770 allowed attackers to fingerprint Firefox users and Tor Browser, even in Private Browsing, by exploiting the IndexedDB data in Firefox and Thunderbird. The flaw works through a deterministic, process-scoped identifier derived from the order of entries returned by indexedDB[.]databases(), enabling cross-origin tracking and linking activity across sites, and it persists in Private Browsing and Tor sessions despite attempts to reset sessions.
Mozilla patched the issue in Firefox 150, ESR 140.10, and Thunderbird updates released on 21 April 2026, and the Tor Project released Tor Browser 15.0.10 to fix the problem. The researchers who found the vulnerability say websites can use it to fingerprint a browser session and link user activity across different sites, with the identifier remaining stable for the lifetime of the browser process and persisting through Tor’s New Identity feature.
The article notes that the vulnerability can be exploited without user interaction and that it poses privacy risks even in the absence of active exploits.