Firefox IndexedDB Flaw Breaks Tor Browser Anonymity
Researchers at Fingerprint.com have disclosed CVE-2026-6770, a high-severity privacy vulnerability in Mozilla Firefox that undermines the anonymity guarantees of Tor Browser. The flaw allows a malicious website to generate a stable, unique fingerprint for a browser instance that survives the Tor Browser "New Identity" reset — the feature designed to prevent exactly this kind of tracking.
The vulnerability was patched on April 21, 2026 in Firefox 150, Firefox ESR 140.10, and Tor Browser 15.0.10. All Gecko-based browsers including LibreWolf and Mullvad Browser were affected.
How the Fingerprinting Works
The IndexedDB Hash-Table Ordering Quirk
When websites create IndexedDB databases in Firefox, the browser internally maps database names to UUID-based identifiers stored in a global hash table. The order in which indexedDB.databases() returns entries is determined by this hash table's internal structure — which is stable for the entire lifetime of the browser process.
This ordering is unique per browser instance. Researchers Dai Nguyen and Martin Bajanik of Fingerprint.com discovered that with just 16 controlled database names, the possible orderings exceed 20 trillion combinations — approximately 44 bits of entropy — more than sufficient to uniquely identify any individual browser instance worldwide.
Surviving the "New Identity" Reset
Tor Browser's "New Identity" feature is the primary tool for anonymity resets. It clears:
- Cookies and site data
- Browser history
- Active Tor circuits (generating new exit nodes)
However, it does not restart the browser process — and therefore does not reset the internal hash table state. A fingerprint established before a New Identity reset remains valid and linkable after the reset, allowing a site to silently re-identify the same user across what they believed were separate anonymous sessions.
// Attacker establishes fingerprint before New Identity
const fp1 = await getIndexedDBFingerprint();
// User clicks "New Identity" — circuits change, cookies clear
// but process state persists
// Attacker re-fingerprints after New Identity
const fp2 = await getIndexedDBFingerprint();
console.log(fp1 === fp2); // true — user is re-identifiedVulnerability Details
| Detail | Value |
|---|---|
| CVE ID | CVE-2026-6770 |
| Type | Information Disclosure — Browser Fingerprinting |
| Affected Browsers | Firefox 149 and earlier, Tor Browser 15.0.9 and earlier, LibreWolf, Mullvad Browser |
| Mechanism | IndexedDB databases() return order leaks stable per-instance entropy |
| Entropy | ~44 bits — globally unique fingerprint from 16 database names |
| Persists Across | New Identity reset, private browsing, tab isolation |
| Disclosed | April 21, 2026 (Fingerprint.com responsible disclosure) |
| Patched In | Firefox 150, Firefox ESR 140.10, Tor Browser 15.0.10 |
The Fix: Alphabetical Sorting
Mozilla's patch is elegantly simple: the indexedDB.databases() API now sorts results alphabetically before returning them. This removes the internal-ordering entropy entirely — all browsers return the same predictable order for the same set of database names, eliminating the fingerprinting vector.
Broader Implications for Tor Users
This vulnerability represents a significant threat to high-risk Tor users — journalists, activists, whistleblowers, and dissidents — who rely on Tor Browser's anonymity guarantees:
- Deanonymization without malware — no exploit needed; the fingerprint is derived passively from normal browser behavior
- Persistent across sessions the user believes are isolated — the attack undermines a security model that users actively rely on
- Cross-site tracking — any two sites the user visits in the same browser process instance can collude to link the user's activity
The researchers noted that this is a structural weakness in how Firefox manages internal browser state, rather than a logic bug in Tor Browser specifically. The fix requires changes at the browser engine level.
Affected Browsers and Patch Status
| Browser | Affected Version | Safe Version |
|---|---|---|
| Firefox | 149 and earlier | 150 |
| Firefox ESR 140.x | 140.9 and earlier | 140.10 |
| Tor Browser | 15.0.9 and earlier | 15.0.10 |
| LibreWolf | Pre-Firefox 150 base | Update to Firefox 150 base |
| Mullvad Browser | Pre-Firefox 150 base | Update to Firefox 150 base |
| Thunderbird | ESR 140.9 and earlier | 140.10 |
Recommendations
- Update Firefox immediately — Firefox 150 and Tor Browser 15.0.10 contain the fix; update now
- Tor Browser users on 15.0.9 or earlier are at risk — the "New Identity" button does not protect against this attack on unpatched versions
- LibreWolf and Mullvad Browser users should verify their build is based on Firefox 150 or later
- High-risk users (journalists, activists) who have not yet updated should avoid using "New Identity" as a privacy tool until patched
Key Takeaways
- CVE-2026-6770 exploits Firefox's IndexedDB internal hash-table ordering to generate 44-bit per-instance fingerprints that survive Tor Browser's anonymity-reset feature
- Fingerprint.com researchers discovered and responsibly disclosed the flaw to Mozilla and the Tor Project simultaneously; the fix was released the same day as disclosure
- The attack is passive — no exploit delivery, no user interaction required; any site can silently fingerprint a visitor
- The fix — alphabetically sorting
indexedDB.databases()output — removes the entropy leak entirely and is available in Firefox 150 / Tor Browser 15.0.10
Sources
- Firefox Vulnerability Allows Tor User Fingerprinting — SecurityWeek
- We Found a Stable Firefox Identifier Linking All Your Private Tor Identities — Fingerprint.com
- Fingerprint.com Discovers Vulnerability That Can Link Your Tor Browsing Together — Privacy Guides
- Security Vulnerabilities Fixed in Firefox 150 — Mozilla (MFSA 2026-30)