A newly disclosed vulnerability in Firefox and Tor Browser allowed websites to generate a stable, process-level identifier using IndexedDB, undermining private browsing protections and cross-site isolation.
The issue has been fixed in recent Firefox releases following responsible disclosure to Mozilla. The Tor Browser, which is built on top of the Gecko engine and inherits core functionality from Firefox, was also affected by this flaw.
Security researchers Dai Nguyen and Martin Bajanik uncovered the flaw during an internal investigation into browser fingerprinting vectors. The researchers demonstrated that the ‘indexedDB.databases()' API, normally used by developers to inspect client-side databases, can leak a deterministic ordering of database entries that acts as a persistent identifier tied to the browser process rather than a specific website or session.
Firefox handles IndexedDB database names in private browsing mode. Instead of using human-readable names, the browser maps them to UUID-based identifiers stored in a global hash table shared across all sites. When websites call indexedDB.databases(), the results are returned in an order determined by the internal structure of that hash table. Since this structure remains stable throughout the lifetime of the browser process, the ordering becomes a reproducible fingerprint.
The researchers showed that two unrelated websites running identical scripts could independently generate the same database ordering and use it to link user activity across origins. Even more concerning, this identifier persisted in Firefox’s Private Browsing mode after all private windows were closed, as long as the browser process itself remained active. In Tor Browser, the identifier survived the “New Identity” reset feature, which is specifically designed to prevent session linkage by clearing state and rotating network circuits.
From a privacy standpoint, this behavior violates two core expectations: that separate websites cannot correlate activity without explicit sharing of data, and that private sessions are fully cleared when closed. The vulnerability effectively bypassed both guarantees without relying on cookies, localStorage, or other traditional tracking mechanisms.
By controlling the number of IndexedDB databases created, a malicious site could generate a high-entropy identifier by permuting the returned entries. With just 16 databases, the theoretical entropy reaches approximately 44 bits, more than enough to uniquely distinguish browser instances in real-world scenarios.
Mozilla addressed the issue in Firefox 150 and ESR 140.10.0 under Bug 2024220. The fix involves canonicalizing the order of results returned by indexedDB.databases(), eliminating the variability caused by internal data structures. This removes the entropy source while preserving the API’s intended functionality for developers.
Users are advised to update to the latest version of Firefox or Tor Browser as soon as possible. Restarting the browser process can also temporarily mitigate exposure, as the identifier resets on full restart.
Leave a Reply