Firefox 150 and Tor Browser users face a critical privacy flaw where websites can track activity across isolated sessions. Researchers found that the `indexedDB.databases()` API leaks a stable process-level identifier derived from IndexedDB storage ordering, even in private browsing. This undermines Tor Browser’s “New Identity” feature, designed to erase session traces, as the identifier persists until Firefox restarts. Mozilla patched the issue in Firefox 150 and ESR 140.10.0, tracked under Mozilla Bug 2024220.

The vulnerability stems from Firefox’s internal UUID mapping for private browsing databases. When `indexedDB.databases()` returns unsorted UUID-based filenames, the order becomes a deterministic fingerprint. Unlike origin-specific storage, this mapping is process-wide, allowing unrelated sites to independently identify the same browser instance. For example, two domains hosting identical scripts could observe matching database order permutations, linking user activity without cookies.

The fix canonicalizes database name orders before API responses, removing entropy. Mozilla emphasized that even seemingly benign APIs can enable cross-site tracking if they expose stable process state. This highlights systemic risks in browser storage implementations, where technical abstractions like hash tables and deterministic sorting inadvertently leak identifiers.

Tor Browser users are particularly impacted, as the flaw negates the core purpose of “New Identity”—preventing linkability between sessions. While Mozilla acted swiftly, the incident underscores the challenge of balancing developer-friendly APIs with robust privacy guarantees. Users relying on Firefox-based tools for anonymity should update promptly to avoid session hijacking.