We found a stable Firefox identifier linking all your private Tor identities

Researchers discovered a privacy flaw in Firefox-based browsers that uses IndexedDB entry ordering as a stable process-lifetime identifier. This vulnerability allows cross-site tracking and persists even through Tor Browser's "New Identity" feature.
Researchers discovered a privacy vulnerability in Firefox-based browsers that allows websites to derive a stable, process-lifetime identifier from the order of entries returned by the indexedDB.databases() API.
In Private Browsing mode, Firefox maps database names to UUIDs using a global hash table. Because the API returns these names based on the hash table's internal iteration order—which is deterministic and shared across all origins—it creates a unique "fingerprint" for the running browser process. This allows unrelated websites to link user activity across different domains without using cookies.
The flaw is particularly severe for Tor Browser, as the identifier persists even after using the "New Identity" feature, which is supposed to prevent linkability between sessions. As long as the browser process is not fully restarted, the identifier remains the same.
Mozilla has addressed the issue in Firefox 150 and ESR 140.10.0 (Bug 2024220) by sorting/canonicalizing the API results to remove identifying entropy. This case highlights how internal implementation details, even in seemingly harmless APIs, can become vectors for cross-site tracking.
Source: Hacker News















