A vulnerability has been discovered in the Gecko browser engine (CVE-2026-6770), allowing the creation of unique identifiers to track the opening of various sites from the same browser. This issue affects all Firefox-based browsers, including Tor Browser, and remains active even in private browsing mode. The identifiers persist within the current browser process and are only reset upon browser restart. The vulnerability has been addressed in the latest releases of Firefox 150/140.10.0 and Tor Browser 15.0.10.
To generate an identifier, users can create the same sequence of databases on different sites using the IndexedDB API and assess the order of these databases through the indexedDB.databases() method. While the order of listings may vary between different browser instances, it remains consistent within a single instance until browser restart, regardless of the site being accessed.
For instance, creating databases “a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p, r” in one Firefox instance will always result in the same order when using the indexedDB.databases() method, such as “g, c, p, a, l, f, n, r, d, j, b, o, h, e, m, i, k”. This method allows for approximately 44 bits of entropy for identification when 16 databases are created. Clearing local browser storage or updating Tor nodes does not impact the generation of identifiers.
The vulnerability stems from a characteristic of the IndexedDB API implementation, where the order of databases is influenced by internal structures unique to each browser instance. The order of databases returned by the indexedDB.databases() method is determined by their placement in the global hash table of internal UUID hashes associated with the database files’ names on disk.