Security researchers have identified a significant vulnerability in Firefox that allows threat actors to track users, even when using Private Browsing mode. This flaw also affects the Tor Browser, which is based on Firefox.
Understanding the Firefox Vulnerability
The identified issue, known as CVE-2026-6770, involves the IndexedDB API, a common feature for storing data on browsers. Firefox utilizes internal UUID mappings to manage database names, which remain consistent across various sites during a single browser session.
This consistency allows separate websites to observe database orderings, potentially linking a user’s activities across different domains without the need for cookies or shared storage. The issue persists until the browser session is completely restarted, affecting both Firefox’s Private Browsing and Tor’s New Identity feature.
Implications for Tor Browser Users
The Tor Browser’s New Identity feature is intended to prevent session tracking by clearing browsing history and cookies. However, the stable identifier mentioned by researchers can compromise this feature within a running browser session, enabling websites to connect sessions that should remain isolated.
This discovery raises significant privacy concerns for users relying on Tor for anonymity, as their activities can be traced despite employing standard privacy measures.
Patch Releases and Future Outlook
Mozilla has addressed the vulnerability in Firefox version 150, categorizing it as a medium severity concern related to the Storage: IndexedDB component. The Tor Project followed suit, implementing the fix in Tor Browser version 15.0.10.
While the patch mitigates the immediate risk, the incident underscores the importance of ongoing vigilance in browser security to protect user privacy. Users are encouraged to update their browsers promptly and remain aware of potential vulnerabilities.
As the cybersecurity landscape evolves, both Mozilla and the Tor Project continue to emphasize their commitment to enhancing user privacy and security in future updates.
