- Researchers uncovered a flaw in Firefox and Tor Browser that allowed websites to generate hidden, stable identifiers without cookies.
- The issue stemmed from IndexedDB behavior, enabling persistent fingerprinting even in private browsing or Tor’s “New Identity” mode.
- Mozilla and Tor quickly patched the vulnerability, with fixes included in Firefox 150 and Tor Browser 15.0.10.
Browsers like Mozilla Firefox and Tor Browser contained a vulnerability where websites could create a hidden ID from browser sessions without using cookies or otherwise obvious tracking methods.
The vulnerability was discovered by security researchers Dai Nguyen and Martin Bajanik of Fingerprint. In an in-depth report published earlier this week, the duo said the issue allowed websites to derive a “unique, deterministic, and stable process-lifetime identifier” from the order of entries returned by IndexedDB, even when users expect “stronger isolation”.
IndexedDB is a built-in browser database that lets websites store large amounts of structured data (like files or app data) directly on the device. It allows web apps to work faster and even offline without constantly talking to a server. However, when a site asked the browser for a list of stored items, the order of that list wasn’t random. Instead, it reflected internal browser behavior, which could be turned into a unique fingerprint.
Private Browsing
While this sounds bad for more privacy-oriented users, it gets even worse since the vulnerability persisted even when using the private browsing mode.
“In Firefox Private Browsing mode, the identifier can also persist after all private windows are closed, as long as the Firefox process remains running,” the researchers explained. “In Tor Browser, the stable identifier persists even through the "New Identity" feature, which is designed to be a full reset that clears cookies and browser history and uses new Tor circuits.”
Fingerprint responsibly disclosed the issue to both Mozilla and the Tor Project, and patches were quickly released. Mozilla addressed it in Firefox 150 and ESR 140.10.0, while tracking the patch in Mozilla Bug 2024220. Tor fixed it indirectly, by pulling Mozilla’s fix. According to available reports, Tor Browser version 15.0.10 includes the same security update that solved the issue in Mozilla Firefox.
