CVE-2026-6770

Name of the Vulnerable Software and Affected Versions Firefox versions prior to 150 Firefox ESR versions prior to 140.10 Thunderbird versions prior to 150 Thunderbird versions prior to 140.10 Tor Browser versions prior to 15.0.10

Description An issue in the Storage: IndexedDB component allows websites to track users across different sites, tabs, and windows for the entire duration of the browser process. This persists even in Private Browsing mode, Tor Browser sessions, and after using the "New Identity" reset. The flaw exists because the indexedDB.databases() function returns metadata in a deterministic, unsorted internal bucket order from a global nsTHashSet called StorageDatabaseNameHashtable. By creating multiple controlled databases and reading the permutation order of the response, a stable tracking identifier (fingerprint) can be generated with approximately 44 bits of entropy, uniquely identifying users without their permission.

Recommendations Update Firefox to version 150 or later. Update Firefox ESR to version 140.10 or later. Update Thunderbird to version 150 or 140.10 or later. Update Tor Browser to version 15.0.10 or later.