Your private browser leaves a trace that websites can read.
Mozilla confirmed the bug exists in Firefox. A new identifier links private Tor sessions to each other. The browser process keeps the data alive.
How websites link you across sessions
Firefox does not clear storage when switching to Tor mode. The browser retains databases created during normal browsing even after launching private windows. Developers can exploit this behavior to build a persistent identifier across your sessions.
The ID persists after closing windows
Unrelated sites can track via this ID
Unrelated websites can track you through this persistent ID. A site visited while browsing normally leaves a trace in storage. That trace survives the switch to Tor and allows other sites to recognize your session. You might think you are anonymous in private mode, but the fingerprint remains.
The fix arrives with Firefox 150
Mozilla released a fix for the IndexedDB tracking issue in Firefox version 150. The new update changes how the browser reports stored databases. Switching to Tor now clears the storage state properly. The old vulnerability that allowed session correlation is gone in this release.
The Tor Browser Inheritance and Risk
Tor Browser inherits the Gecko engine from Firefox. This shared foundation means the indexing vulnerability applies directly to standard Firefox users. The same mechanism that affects Tor affects your private browsing sessions too.
In Firefox Private Browsing mode, the API indexedDB.databases() returns database metadata in an order derived from internal storage structures rather than from database creation order. A website can use the ordering of databases returned by indexedDB.databases() to create a stable fingerprint for a running browser process, linking activity across different origins.
The identifier derived from indexedDB.databases() can persist after all private windows are closed, provided the Firefox process remains running. This creates a long-term Data Implications profile where activity traces survive even after you close your tabs. The data is not truly private if the process stays open.
Mozilla released a fix for the IndexedDB tracking issue in Firefox version 150 and ESR 140.10.0. Enterprise users on older builds face different implications. The ESR version delays updates for stability reasons, leaving organizations exposed longer than consumers.
The fix applies only to specific version numbers. Users on older builds remain vulnerable. Process-scoped state means the risk ends only when the browser process terminates. Canonicalizing results allows trackers to link sessions despite private mode settings.
Tor identity relies on hiding this very state. The same weakness that Tor inherits means the browser's primary anonymity layer contains a flaw. Tor users face the same tracking risk as standard Firefox users. The distinction between private modes and Tor mode is not as protective as marketing suggests.
These versions differ in update frequency. Enterprise systems prioritize stability over rapid vulnerability patches. The risk applies to anyone running older builds. Check your version number before assuming protection. The Tor Browser is not immune to this issue.
The fix comes in two separate releases. One addresses ESR for enterprise stability teams. The other updates the main Firefox channel. Both contain the same underlying patch. Version 150 carries the fix. ESR 140.10.0 does too.
Key points
- The API returns metadata in a specific order. * Websites use the order to create a stable fingerprint. * The identifier persists after closing all private windows. * Unrelated sites can track you via this persistent ID. * Mozilla released a fix in Firefox version 150.
What you can do about it
If you are using Firefox 149 or older, update immediately. If you run an Enterprise release, wait for your IT department to patch the system. Users on the main channel should download version 150 as soon as it becomes available.
You can verify your version in the browser's "About" menu. The "Update Firefox" button handles the installation automatically. Once the update finishes, check the settings again to confirm the fix is active.
Creating distinct profiles also helps. Start a new Firefox profile specifically for private browsing. This keeps your normal browsing data separate from your private sessions. Do not use a single profile for everything if you value anonymity.
Containers offer another layer of protection. They isolate websites into separate environments. A tracking cookie in one container cannot see data from another. Use this feature if you must keep data between sessions but want to limit tracking.
The company behind the tracker has not commented publicly. The vulnerability affects anyone who has not updated their browser. Keep your software current to avoid this specific tracking risk.
