234/69 Wednesday, April 29, 2026
Researchers have discovered a vulnerability, CVE-2026-6770, affecting Mozilla Firefox, Mozilla Thunderbird, and Tor Browser, classified as a medium-severity issue. This flaw may allow websites to generate unique identifiers for fingerprinting, enabling the tracking of user activity across different websites—even when users are in Private Browsing mode or using Tor Browser, which is designed to enhance privacy.
The issue stems from the indexedDB.databases() function, which exposes the ordering of data in a way that can be used as a browser session identifier. In Private Browsing mode, database names are mapped to UUIDs stored in a global hash table shared across multiple origins and persist until the browser is completely closed. Since the returned data follows the order of the hash table without re-randomization, this sequence can serve as a stable identifier, allowing correlation of user activity across websites.
This vulnerability impacts user privacy, as the identifier may persist even after closing Private Browsing windows if the browser process is still running. In the case of Tor Browser, the identifier may remain even when using the “New Identity” feature, which is intended to reset sessions and clear data. Mozilla has released patches in Firefox 150, Firefox ESR 140.10, and a Thunderbird update published on April 21, 2026. Meanwhile, the Tor Project has released Tor Browser 15.0.10 to address the issue.