We found a stable Firefox identifier linking all your private Tor identities

A privacy vulnerability was discovered in Firefox-based browsers, including Firefox Private Browse mode and the anonymity-focused the browser, that allows websites to derive a stable, process-scoped identifier from the ordering of entries returned by the IndexedDB `databases()` API. Because the internal UUID-to-filename mapping is stored in a process-wide hash table and not scoped per origin, unrelated websites can independently observe the same permutation and link user activity across origins without cookies or shared storage. In Firefox Private Browse mode, the identifier persists even after all private windows are closed as long as the process runs. In the anonymity-focused browser, it survives the "New Identity" reset, defeating its core unlinkability guarantee. With 16 controlled database names, the ordering provides ~44 bits of entropy — more than enough to uniquely identify browser instances. Mozilla patched the issue in Firefox 150 and ESR 140.10.0 (CVE-2026-6770) by canonicalizing the returned order. The fix was responsibly disclosed to both Mozilla and the anonymity-focused browser project.