New Flaw in Firefox and Tor Browser Lets Websites Track Users Across Private Sessions

The internet’s most trusted privacy tools are under fire. Security researchers at Fingerprint, a company specializing in online visitor identification, just uncovered a major loophole affecting all Firefox-based browsers, including the privacy-first Tor Browser. The flaw lets websites silently track users across sessions, even when those users believe they are browsing privately.

The researchers found that both browsers leak what they describe as “a unique, deterministic, and stable process-lifetime identifier,” allowing websites to fingerprint users for as long as the Firefox process runs on their system.

Switching to a “New Private Window” in Firefox or selecting “New Identity” in Tor does nothing to break this link. Repeated visits to the same site, or even different sites, can all be traced back to the same user.

“Unassociated sites can connect queries across origins amid the same runtime of the browser, and private-session thresholds are deterred due to the identifier outlasting what users would reasonably expect,” the researchers cautioned.

Mozilla moved quickly, patching the vulnerability in Firefox version 150, released Tuesday, April 21st, 2026.

The Science Behind The Loophole

The culprit sits inside a feature most users never see. Websites routinely create and store multiple databases on a user’s device for things like offline support, caching, and session state. They accomplish this through a JavaScript tool called the Indexed Database API (IndexedDB).

Firefox applies a privacy mask in private browsing mode, replacing real database names with random identifiers (UUID). Researchers at Fingerprint, however, spotted a critical detail hiding in plain sight. The browser always returns those databases in the exact same order, and that order depends on the browser’s unique internal state for that running session.

IndexedDB sends back database metadata in an order based on internal storage infrastructures, not the order in which the databases existed,” the company explained. The browser never randomizes the sequence before returning results, which turns that predictable order into a reliable fingerprint.

A website running the right script can create a fixed set of named databases on a user’s machine, read the order Firefox returns them in, and lock in a fingerprint. The next visit by the same user produces an identical result. Only a full browser restart resets the sequence entirely.

“It persists across reloads and new private windows, even after closing all private windows. Only a full browser restart yields a new one, and that is exactly what users do not want from a privacy perspective,” the report stated.

The researchers showed that using only 16 controlled database names, a website can create more than 20 trillion different orderings, sufficient enough to tell apart a realistic number of browser instances running at the same time.

Massive Privacy Implications Ahead

The flaw quietly dismantles the core promises these browsers make to their users. Clearing cookies, wiping browsing history, switching Tor circuits, none of these actions provides any real anonymity guarantee while this identifier remains active.

Tor Browser carries an especially high burden here. The browser exists specifically to reduce cross-site linkability and prevent anyone from building a stable browser-level identity. This flaw cuts directly against that purpose.

The researchers warned that whether it only lasts until the browser process is fully restarted, that’s still enough to reduce unlinkability while the browser is in active use.

What makes the issue particularly dangerous is that any website running the same fingerprinting script can read the same identifier and silently connect a user’s activity across completely unrelated sites, all without a single cookie.

In response to growing privacy concerns, the Tor Browser’s latest update has taken a significant step, purging Mozilla’s AI components in a major privacy stand, removing telemetry and AI-driven features that could potentially compromise user anonymity, reinforcing Tor’s commitment to being the gold standard for private browsing.

Interestingly, Fingerprint, the company that found the flaw, does not use it in its own products. The company’s CTO addressed this on Hacker News, stating, “We don’t use vulnerabilities in our products.”

How to Stay Protected

The fix itself is straightforward. Returning databases in a sorted, canonical order hides the internal storage layout entirely and kills the fingerprint.

Users who value their privacy should update their browsers immediately. Mozilla’s patch is live in Firefox 150 and ESR 140.10.0. The latest Tor Browser release also builds on ESR 140.10.0, extending the same protection to Tor users.