A security issue tracked as CVE-2026-6770 could allow fingerprinting of Firefox users, including those using Private Browsing and the Tor anonymity browser based on Firefox, by exploiting the IndexedDB API and how Firefox stores database names. The vulnerability enables sites to observe a consistent ordering of IndexedDB databases across different sites within the same browser process, potentially linking a user’s activity across domains without cookies or shared storage.
Threat actors could exploit this to fingerprint users even when Tor's New Identity feature is used, and the fingerprint persists across reloads until the browser is restarted. According to Mozilla, the flaw was patched with Firefox 150, which the organisation described as a “medium severity” issue and an “other issue in the Storage: IndexedDB component”; Tor has also rolled out the patch via Tor Browser 15.0.10 last week.
Written by Eduard Kovacs, the piece notes the vulnerability affects Tor as well as Firefox, and highlights the ongoing remediation by Mozilla and the Tor Project.