Skip to content
Tech News
← Back to articles

We found a stable Firefox identifier linking all your private Tor identities

2026-04-22 | original
read original get Tor Browser Privacy Bundle → more articles
Why This Matters

This vulnerability highlights a critical privacy flaw in Firefox-based browsers, including Tor Browser, where process-lifetime identifiers can be exploited to link user activity across sessions and origins. The issue undermines the core privacy guarantees of private browsing modes and anonymity tools, emphasizing the importance of timely security updates. The swift response from Mozilla and the Tor Project demonstrates the industry's commitment to maintaining user privacy, but also underscores the need for ongoing vigilance against subtle tracking techniques.

Key Takeaways

We recently discovered a privacy vulnerability affecting all Firefox-based browsers. The issue allows websites to derive a unique, deterministic, and stable process-lifetime identifier from the order of entries returned by IndexedDB, even in contexts where users expect stronger isolation.

This means a website can create a set of IndexedDB databases, inspect the returned ordering, and use that ordering as a fingerprint for the running browser process. Because the behavior is process-scoped rather than origin-scoped, unrelated websites can independently observe the same identifier and link activity across origins during the same browser runtime. In Firefox Private Browsing mode, the identifier can also persist after all private windows are closed, as long as the Firefox process remains running. In Tor Browser, the stable identifier persists even through the "New Identity" feature, which is designed to be a full reset that clears cookies and browser history and uses new Tor circuits. The feature is described as being for users who "want to prevent [their] subsequent browser activity from being linkable to what [they] were doing before." This vulnerability effectively defeats the isolation guarantees users rely on for unlinkability.

We responsibly disclosed the issue to Mozilla and to the Tor Project. Mozilla has quickly released the fix in Firefox 150 and ESR 140.10.0, and the patch is tracked in Mozilla Bug 2024220. The underlying root cause is inherited by Tor Browser through Gecko’s IndexedDB implementation, so the issue is relevant to both products and to all Firefox-based browsers.

The fix is straightforward in principle: the browser should not expose internal storage ordering that reflects process-scoped state. Canonicalizing or sorting results before returning them removes the entropy and prevents this API from acting as a stable identifier.

Why this matters

Private browsing modes and privacy-focused browsers are designed to reduce websites' ability to identify users across contexts. Users generally expect two things:

First, unrelated websites should not be able to tell they are interacting with the same browser instance unless a shared storage or explicit identity mechanism is involved.

Second, when a private session ends, the state associated with that session should disappear.

This issue breaks both expectations. A website does not need cookies, localStorage, or any explicit cross-site channel. Instead, it can rely on the browser’s own internal storage behavior to derive a high-capacity identifier from the ordering of database names returned by an API.

For developers, this is a useful reminder that privacy bugs do not always come from direct access to identifying data. Sometimes they come from deterministic exposure of internal implementation details.

... continue reading

Explore topics: firefox tor browser indexeddb privacy vulnerability mozilla
Related:
New Firefox update patches a whopping 271 bugs, thanks to Claude Mythos
Firefox 150 improves Split View and expands built-in tools
Mozilla says it patched 271 Firefox vulnerabilities thanks to Anthropic's Claude Mythos
Mozilla Uses Anthropic's Mythos To Fix 271 Bugs In Firefox
Mozilla: Anthropic's Mythos found 271 zero-day vulnerabilities in Firefox 150

© 2026 GoKawiil

About | Editorial Policy | Contact