Firefox Vulnerability Exposes User Privacy in Private Browsing and Tor
AI-generated from multiple sources. Verify before acting on this reporting.
MOSCOW (AP) — A critical security flaw in Mozilla’s Firefox browser allows threat actors to track users across websites even when using Private Browsing mode or the Tor anonymity network, researchers announced Monday.
The vulnerability, discovered in Firefox’s IndexedDB API, undermines core privacy protections by enabling cross-domain activity linking without relying on cookies or shared storage. The issue stems from the browser’s internal handling of database names, which use consistent UUID mappings that persist across sessions and sites.
Mozilla and the Tor Project confirmed the flaw affects Firefox and Tor browsers globally. The vulnerability was disclosed on April 27, 2026, following analysis by independent security researchers who demonstrated how the defect could be exploited to fingerprint users and defeat Tor’s New Identity isolation feature.
In normal operation, IndexedDB is designed to store structured data locally within a browser. However, the flaw allows malicious actors to access internal identifiers that remain constant across different domains. This consistency enables tracking even when users clear cookies or switch to private browsing modes intended to erase digital footprints.
The Tor Project, which relies on Firefox as its base browser, stated that the vulnerability compromises its New Identity feature, which is designed to isolate browsing sessions and prevent correlation of user activity. Researchers showed that the flaw allows attackers to link separate browsing sessions to the same user, effectively bypassing the anonymity protections Tor provides.
Mozilla has acknowledged the issue and is working on a patch. The company stated that the vulnerability does not allow remote code execution but poses a significant risk to user privacy. Firefox users are advised to apply updates as soon as they become available.
The discovery highlights ongoing challenges in maintaining privacy in modern web environments. As browsers adopt more complex storage mechanisms, new attack vectors emerge that can circumvent traditional privacy controls. Experts note that similar flaws could exist in other browsers that implement IndexedDB or comparable technologies.
Researchers have not disclosed whether any active exploitation of the vulnerability has been observed in the wild. The full scope of the impact remains unclear, as the flaw affects both standard Firefox users and those relying on Tor for enhanced anonymity.
Mozilla and the Tor Project are expected to release detailed technical advisories outlining mitigation steps. Until then, users concerned about privacy are urged to exercise caution when browsing sensitive content or using services that rely on IndexedDB for data storage.
The incident underscores the difficulty of balancing functionality and privacy in web browsers. As online tracking techniques evolve, developers must continuously adapt to protect user data from emerging threats.