How a Firefox IndexedDB Ordering Bug Linked Your Tor Identities

# How a Firefox IndexedDB Ordering Bug Linked Your Tor Identities

It linked your Tor identities because a Firefox bug made indexedDB.databases() return results in an order that deterministically encoded a process‑lifetime identifier—a stable value tied to the running browser process. Any site running JavaScript could read that ordering, derive the same identifier, and then correlate activity across unrelated origins; in Tor Browser, that identifier could persist through a “New Identity” reset so long as the underlying browser process didn’t restart, undermining unlinkability.

The core bug: an “ordering leak” hiding in plain sight

At a high level, indexedDB.databases() is a JavaScript API that enumerates metadata about an origin’s IndexedDB databases. The vulnerability was not about exfiltrating database contents or bypassing origin isolation directly. Instead, it was about something subtler: the sequence in which the metadata entries were returned.

Researchers found that the enumeration order was non-neutral—it wasn’t simply sorted or otherwise privacy-scrubbed. That order effectively acted like a fingerprint because it embedded a deterministic, stable identifier that lasted for the lifetime of the browser process. In other words, the way the browser listed databases could be turned into a unique signal.

This is the kind of bug that’s easy to miss in traditional security thinking: developers often focus on whether an API returns “the right data,” not whether it returns it in a way that leaks hidden state through ordering.

How sites turned it into cross-origin correlation

The attack primitive described in the public analysis is straightforward in concept:

1. A page creates (or probes) a known pattern of IndexedDB databases.
2. The page calls indexedDB.databases() and observes the ordering of the results.
3. The page derives a stable identifier from that ordering.
4. A different site—on a different origin—can perform the same steps and derive the same identifier as long as the user is in the same browser process.

The key is the scope: the identifier was process-scoped, not origin-scoped. That means it didn’t behave like normal web storage signals (which are usually partitioned by origin). Instead, it behaved like a hidden “shared constant” available to any origin that knew how to ask the right question.

This creates a powerful linking tool for adversaries who can run scripts across multiple origins—think embedded third-party scripts, trackers, or any set of cooperating sites. They don’t need cookies or long-lived storage; they just need the user to visit multiple places within the same browser runtime.

For more on how small implementation details can become unexpected tracking vectors, see our related explainer: Today’s TechScan: Fast Batteries, Buggy Browsers, and Modular Hardware Surprises.

Why it broke Private Browsing and Tor “New Identity” expectations

The privacy impact came from the mismatch between what users reasonably expect and what the bug enabled.

Cross-origin fingerprinting without cookies. Because the identifier came from a process-lifetime property encoded in an API output, it could be used to correlate browsing across sites without relying on cookies, localStorage persistence, or other obvious trackers.

Private Browsing isolation undermined. In Firefox Private Browsing, the process-lifetime identifier could persist even after private windows were closed—as long as the overall browser process remained running. That violates the common expectation that closing private windows “ends” a private session’s linkability.

Tor Browser “New Identity” undermined. In Tor Browser, the “New Identity” feature is intended to reset state so a user can separate activities into distinct identities. But if the fingerprint is tied to the browser process itself, then resetting tabs and in-process state may not fully remove the linking signal. The disclosed issue specifically noted that this identifier could survive a “New Identity” reset when the browser process persisted—effectively linking sessions users expected to be unlinkable.

The result is especially serious for privacy-sensitive users—journalists, activists, and others—who rely on Tor Browser’s identity separation guarantees.

Disclosure, tracking, and the fix

The issue was publicly disclosed on April 23, 2026 by Fingerprint.com, following coordinated disclosure with Mozilla and the Tor Project. The vulnerability is tracked as CVE-2026-6770 (listed in the NVD).

Mozilla patched the bug in Firefox 150 and Firefox ESR 140.10.0. The described remediation is conceptually simple but important: canonicalize the output so that indexedDB.databases() no longer returns an order that leaks process-lifetime entropy—e.g., by sorting results (or otherwise ensuring a deterministic, privacy-neutral ordering).

This is an instructive pattern for privacy engineering: even if an API only exposes metadata, you often must treat ordering, timing, and other “incidental” characteristics as potentially sensitive outputs.

Why It Matters Now

This matters now because the fix is recent (Firefox 150 / ESR 140.10.0), and real-world exposure depends on patch adoption. Many users—especially in enterprise environments, on long-lived ESR tracks, or on forks/derivatives—can lag behind security releases. The disclosure also underscores a broader theme in browser security: modern fingerprinting isn’t limited to classic storage identifiers. It increasingly exploits edge-case behaviors in “normal” web APIs.

In practical terms, the news hook here isn’t just “there was a bug.” It’s that a single implementation detail—enumeration order—was enough to create a cross-origin correlation handle that could survive the very resets people use to protect themselves.

What developers and browser vendors should do

The research points to defensive moves that generalize beyond this specific API:

• Canonicalize and minimize API outputs. If an API returns a list, ensure the enumeration is privacy-neutral (for example, sorted), rather than reflecting process state.
• Audit metadata surfaces, not just data access. The bug demonstrates how metadata and presentation details can leak identifiers even without violating origin access controls.
• Add tests targeting correlation. Automated checks can look for signals that remain stable across origins within the same process, especially around storage enumeration APIs.
• Coordinate disclosure and communicate clearly. Coordinated handling with downstream privacy-focused projects (like Tor Browser) is critical when a fix affects anonymity guarantees.

What users should do right now

• Update to a patched version: Firefox 150 or ESR 140.10.0, and use an updated Tor Browser build that includes the fix for CVE-2026-6770.
• Restart the browser application. Because the identifier was process-lifetime scoped, restarting helps clear any in-process state that could be used for linking.
• For high-risk use cases, stick to official releases and keep them current; forks may lag on security-critical privacy fixes.

What to Watch

• Patch propagation in derivatives and forks. Verify that privacy-focused Firefox-based builds have actually incorporated the fix, not just bumped version branding.
• Follow-up research on “ordering leaks.” Similar correlation risks can exist in other enumeration-style APIs and storage-adjacent surfaces.
• Hardening patterns from vendors. Watch whether browsers adopt systematic rules—like mandatory sorting/canonicalization—for API outputs that could otherwise encode hidden state.
• Ongoing tracking for regressions. Keep an eye on updates tied to CVE-2026-6770 and related bug tracking (including references discussed in the public write-ups).

Sources: fingerprint.com | conzit.com | nvd.nist.gov | gist.github.com | firefox-source-docs.mozilla.org | teo9i.com