Firefox vulnerability exposes stable identifier linking Tor identities
Original: We found a stable Firefox identifier linking all your private Tor identities
Why This Matters
Exposes fundamental privacy assumptions in browsers designed for anonymity
Security researchers discovered a Firefox IndexedDB vulnerability that creates stable browser identifiers, persisting through Tor Browser's "New Identity" feature and private browsing sessions. Mozilla fixed the issue in Firefox 150.
Fingerprint.com researchers found a privacy vulnerability in Firefox-based browsers allowing websites to derive stable identifiers from IndexedDB database ordering. The flaw affects process-scoped rather than origin-scoped behavior, enabling unrelated websites to link activity across origins during browser runtime. In Firefox Private Browsing, the identifier persists after closing private windows while the process runs. In Tor Browser, it survives the "New Identity" feature designed for complete session isolation. Mozilla quickly released fixes in Firefox 150 and ESR 140.10.0, tracked as Mozilla Bug 2024220. The solution canonicalizes database ordering before returning results, removing the entropy that created stable identifiers.