Firefox/Tor Privacy Flaw: IndexedDB Leak Links Private Browsing Sessions

If you've ever relied on Tor Browser for anonymity, you might want to update immediately. Security researchers at Fingerprint.com just disclosed a vulnerability that could link all your supposedly private Tor identities through a single, stable browser identifier—completely undermining the privacy guarantees that make Tor useful in the first place.

The culprit? Firefox's IndexedDB implementation, which was leaking a persistent identifier across sessions that should have been isolated.

What Was Discovered

The vulnerability affects Firefox and Tor Browser (which is built on Firefox ESR). Researchers at Fingerprint.com found that IndexedDB—the browser-based database API that web applications use to store structured data locally—was generating a stable identifier that persisted across what should have been completely isolated browsing contexts.

Here's why that matters: Tor Browser is specifically designed to make each session unlinkable. When you close Tor and open a new session, you should appear as a completely different user. No cookies, no cache, no persistent identifiers. But this IndexedDB flaw created a unique fingerprint that remained constant across all your Tor sessions, effectively linking them all to the same person.

The researchers demonstrated that by simply querying IndexedDB characteristics, a malicious website could generate a stable identifier and track users across sessions—even when those users took every precaution to remain anonymous. The vulnerability received significant attention on Hacker News, drawing over 570 upvotes and 163 comments from security-conscious developers.

How IndexedDB Became a Fingerprinting Vector

IndexedDB is a powerful client-side storage mechanism built into modern browsers. Unlike cookies or localStorage, it can handle complex data structures and large volumes of information. For web developers, it's an essential tool for building offline-capable progressive web apps and high-performance client-side applications.

But with that power comes risk. The IndexedDB implementation in Firefox was generating internal identifiers that were supposed to be ephemeral but were actually persisting across browser restarts and privacy mode sessions. According to the Fingerprint.com research, these identifiers could be extracted through timing attacks or by analyzing database operation characteristics.

The technical details are sobering: even without storing any actual data, simply creating and querying IndexedDB databases revealed patterns unique to each browser installation. Combined with other fingerprinting techniques, this created a highly reliable tracking mechanism that bypassed Tor's built-in protections.

This isn't theoretical. The researchers published working proof-of-concept code demonstrating the attack. Any website could implement this tracking technique with just a few lines of JavaScript.

The Fix and What It Means for Developers

Mozilla has now patched the vulnerability in the latest Firefox releases, and the Tor Project has incorporated the fix into Tor Browser. If you're running Firefox or Tor Browser, update immediately.

But this disclosure raises bigger questions for web developers building privacy-conscious applications. IndexedDB is just one of dozens of browser APIs that can leak identifying information. LocalStorage, Canvas, WebGL, font enumeration, and even basic JavaScript engine characteristics can all contribute to browser fingerprinting.

Here are the key takeaways:

For privacy-focused developers: Don't assume that "private browsing mode" or Tor actually provides the isolation it promises. Test your applications with tools like Fingerprint.com's open-source detection libraries or Panopticlick to understand what identifiers you might be leaking—even unintentionally.

For web application developers: Be mindful that any client-side storage mechanism—including IndexedDB—can be analyzed for fingerprinting. If your app handles sensitive data, document what persistent identifiers you're creating and why.

For security researchers: This disclosure highlights the ongoing arms race between privacy tools and tracking techniques. Browser APIs designed for legitimate functionality often create unintended privacy risks. The IndexedDB issue was hiding in plain sight for years.

The Bigger Picture

This vulnerability is a reminder that privacy and security are never "solved." Even mature, well-audited tools like Firefox and Tor Browser can harbor subtle flaws that undermine their core guarantees.

The IndexedDB leak is particularly troubling because it affected the very users who care most about privacy—the ones using Tor. These aren't casual users; they're journalists, activists, security researchers, and others who may face real-world consequences if their identities are exposed.

For the broader developer community, this serves as a wake-up call about the fingerprinting surface area of modern web browsers. Every API, every feature, every optimization creates potential privacy leaks. As we build more powerful web applications, we need to be equally vigilant about the privacy implications of the technologies we use.

The good news is that responsible disclosure worked here. Fingerprint.com reported the issue, Mozilla and the Tor Project responded quickly, and users now have patches available. But how many similar vulnerabilities are still out there, waiting to be discovered?

If you're building anything that touches user privacy, it's worth reading the full technical disclosure at fingerprint.com/blog/firefox-tor-indexeddb-privacy-vulnerability. And if you haven't updated your browsers lately, now would be a very good time.