Firefox Just Undermined Tor's Whole Promise

You fire up Tor because you want to disappear. Turns out Firefox may have been holding a receipt with your name on it the whole time. Researchers recently surfaced an IndexedDB vulnerability in Firefox that lets trackers tie an “anonymous” Tor session back to the same device running your logged-in, real-name browsing — and that’s a much bigger deal than the usual cookie-leak story.

What Actually Leaks

The issue lives inside IndexedDB, the database Firefox ships to every web page for client-side storage. An identifier that was supposed to be scoped — walled off between private windows, normal windows, and Tor sessions — turns out to persist across contexts when approached through a specific path.

In plain terms: the browser hands out a stable identifier that survives the boundaries it was supposed to respect. A tracker that sees the same ID in two places can confidently say “same device.” Clearing cookies doesn’t help. Switching to a VPN doesn’t help. The leak isn’t in the network layer — it’s in the browser engine itself.

Why Fingerprint.com Keeps Coming Up

Commercial device-identification vendors like Fingerprint.com have spent years building this capability in the open, and mostly for defensible reasons: bot detection, payment fraud, account takeover prevention. Stripe, Coinbase, and plenty of other legitimate businesses pay for exactly this.

That’s the uncomfortable part. The same primitives that stop a credential-stuffing attack can also deanonymize a source talking to a journalist. Fingerprinting is a dual-use technology, and this Firefox bug hands the dual-use crowd a gift: an identifier the user cannot clear, cannot proxy around, and in most cases does not even know exists.

Why Tor Users Should Care Most

Tor Browser is a hardened fork of Firefox ESR. When the upstream engine ships a leak, Tor inherits it. The entire value proposition of Tor — that a session through the onion network cannot be tied to your identity — assumes the browser itself isn’t quietly tagging you.

This is the part that has the Hacker News and r/privacy threads genuinely worried. Ad targeting getting sharper is annoying. A journalist’s source getting linked to their personal Gmail by a stable browser ID is a different category of problem. Activists in authoritarian regimes, whistleblowers, domestic-abuse survivors — these are the populations for whom “the browser leaked an ID” is not a PR headline but a physical-safety event.

What To Actually Do

Update, today. Mozilla and the Tor Project both move fast on this class of bug. Check your Firefox version, check Tor Browser, and apply whatever’s current. If you’re running an older ESR build because “it’s stable,” this is the week to reconsider.

Stop mixing profiles on the same machine. Even with a perfect browser, using the same device for your logged-in life and your anonymous life has always been risky. One slip, one tab opened in the wrong window, and the threat model collapses. Bugs like this one just lower the bar for how badly you have to slip.

Match the tool to the threat. If you genuinely need anonymity — not just ad-blocking, actual anonymity — Tor Browser alone was never the whole answer. Tails, a dedicated device, and network-level isolation exist because browser-level guarantees keep finding new ways to fail.

The Lingering Thought

Anonymity isn’t a setting you flip once. It’s a property that a dozen layers of software have to keep honoring every time you open a tab, and any one of them can quietly betray you. The uncomfortable lesson here isn’t that Firefox messed up — Firefox will patch it and move on. It’s that the people who most need these tools to work are the ones least equipped to audit them. Trusting your browser, it turns out, is itself a threat model.