The internet's most trusted privacy tools have just had their foundations shaken. A flaw in Firefox and Tor Browser allows websites to silently track users across private sessions. The flaw disclosure comes from Fingerprint, a company that helps businesses to identify users online.
Security researchers at Fingerprint, a company specializing in visitor identification online, unveiled a massive flaw in all Firefox-based browsers, including Tor. The browsers leak user fingerprints and allow websites to track identities across the web without traditional tracking methods like cookies.
“The issue allows websites to derive a unique, deterministic, and stable process-lifetime identifier,” reads the report about linking private Tor and Firefox identities.
This means that users can be fingerprinted for as long as the Firefox process is running on the system. Despite choosing “New Identity” in Tor or opening a “New Private Window” in Firefox, repeated visits to the same or different websites can be traced back to the same user.
“The impact is significant. Unrelated websites can link activity across origins during the same browser runtime, and private-session boundaries are weakened because the identifier survives longer than users would expect,” the researchers warn.
Mozilla patched the bug in Firefox version 150, which was released on Tuesday, April 21st, 2026.
Why would a company, relying on fingerprinting, disclose such a vulnerability?
“We don't use vulnerabilities in our products,” responded Fingerprint.com’s CTO on the Hacker News forum.
How does it work?
While you browse, websites create and store multiple databases on your device for offline support, caching, session state, and other needs. For that, they use JavaScript's built-in Indexed Database API, or IndexedDB.
Firefox masks this data in private browsing modes, replacing database names with random identifiers (UUID).
However, researchers noticed “a small implementation detail” – the browsers always return the databases in the exact same order. The order depends on the browser’s internal state, which is unique for the running instance, making it an effective fingerprint.
IndexedDB returns database metadata “in an order derived from internal storage structures rather than from database creation order,” the company explained. The browser never bothers to change the sequence of the results before returning them.
Basically, a website could create a fixed set of named databases on a user’s machine and read the fingerprint returned by Firefox or Tor. The next time the user visits, this fingerprint will be identical. Only fully restarting the browser completely resets the combination.
“It persists across reloads and new private windows, even after all private windows are closed. Only a full browser restart yields a new one. That is exactly what you do not want from a privacy perspective,” the report reads.
What makes this fingerprint particularly dangerous is that any other website running the same script can see the same fingerprint and covertly link the user’s activity across websites.
The researchers demonstrated that with 16 controlled database names, a website could produce over 20 trillion possible orderings.
“That is far more than enough to distinguish realistic numbers of concurrent browser instances in practice.”
Massive privacy implications
The flaw effectively undermines the core privacy promises browsers make to their users: deleting cookies, clearing browsing history, switching Tor circuits, and applying other measures give no anonymity guarantees.
“Tor Browser is specifically designed to reduce cross-site linkability and minimize browser-instance-level identity. A stable process-lifetime identifier cuts directly against that design goal,” the researchers warned.
“Even if it only survives until a full process restart, that is still enough to weaken unlinkability during active use.”
The fix, however, is straightforward. Simply returning the same databases in a canonical order – by sorting – hides the internal storage layout.
Users concerned about their privacy should update their browsers to the latest versions. The fix is available in Firefox 150 and ESR 140.10.0, the latest Tor Browser release is also based on the latter.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked