CVE-2026-6770 let attackers fingerprint Firefox and Tor users, even in Private mode. Firefox 150 and Tor Browser 15.0.10 fixed it.
A vulnerability, tracked as CVE-2026-6770, allowed attackers to fingerprint Firefox users, even in Private Browsing, and also impacted the Tor Browser.
The flaw worked even when Tor’s New Identity feature was used, bypassing protections meant to reset sessions and prevent linking activity across sites.
CVE-2026-6770 is a medium-severity information disclosure flaw in Firefox and Thunderbird’s IndexedDB that allows unauthorized access to client-side data. It can enable cross-origin tracking, exposing stable identifiers even in Private Browsing and Tor sessions.
An attacker can exploit the issue without user interaction; the bug poses privacy risks despite no active exploits. Mozilla patched it in Firefox 150, ESR 140.10, and Thunderbird updates released April 21, 2026.
The Tor Project release Tor Browser 15.0.10 to fix the problem.
The researchers who found the vulnerability report that websites can use it to fingerprint a browser session and link user activity across different sites. The identifier persists for the lifetime of the browser process, even after closing Private Browsing windows, and remains unchanged in Tor Browser despite using the “New Identity” feature, undermining expected privacy and unlinkability protections.
“The issue allows websites to derive a unique, deterministic, and stable process-lifetime identifier from the order of entries returned by IndexedDB, even in contexts where users expect stronger isolation.” wrote the researchers. “This means a website can create a set of IndexedDB databases, inspect the returned ordering, and use that ordering as a fingerprint for the running browser process. Because the behavior is process-scoped rather than origin-scoped, unrelated websites can independently observe the same identifier and link activity across origins during the same browser runtime. In Firefox Private Browsing mode, the identifier can also persist after all private windows are closed, as long as the Firefox process remains running. In Tor Browser, the stable identifier persists even through the “New Identity” feature, which is designed to be a full reset that clears cookies and browser history and uses new Tor circuits.”
The flaw undermines core privacy expectations: sites shouldn’t link users across contexts, and private sessions should leave no trace. Instead, Firefox’s IndexedDB exposes a deterministic, process-level identifier via the ordering of database names returned by indexedDB.databases(). In Private Browsing, database names are mapped to UUIDs stored in a global hash table shared across all origins and lasting until the browser fully restarts. Because results are returned using hash table iteration without sorting, the order becomes a stable, high-entropy fingerprint consistent across tabs, sites, and sessions, even persisting after closing private windows and through Tor Browser’s “New Identity.” This enables cross-origin and same-origin tracking without cookies.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CVE-2026-6770)
Source: SecurityAffairs
Source Link: https://securityaffairs.com/191374/security/firefox-bug-cve-2026-6770-enabled-cross-site-tracking-and-tor-fingerprinting.html