Fingerprint.com security researchers have disclosed CVE-2026-6770, a cross-origin information leakage vulnerability in Firefox and Tor Browser’s implementation of the IndexedDB storage API. The vulnerability bypasses the browser’s cross-origin partitioning of IndexedDB storage, allowing a malicious webpage to enumerate and read IndexedDB data stored by other origins — potentially identifying users by their stored application data and, in Tor Browser, undermining the strict origin isolation that is fundamental to the anonymity model.
How the Vulnerability Works
IndexedDB is a browser-side storage API used by web applications to store structured data client-side — login state indicators, cached application data, user preferences, and application-specific identifiers. Modern browsers implement storage partitioning: IndexedDB databases created in the context of origin-A.com should not be accessible when code is running in the context of origin-B.com.
CVE-2026-6770 is a failure in this partitioning when IndexedDB databases are accessed through a specific combination of shared worker contexts and service worker scope resolution. The flaw causes Firefox to incorrectly identify the storage partition key for database lookups in this context, allowing cross-origin reads of databases that should be isolated.
An attacker can use this to:
- Enumerate stored databases: Detect whether a user has a stored IndexedDB database for specific web applications — which reveals which services the user has logged into or actively uses
- Read stored data: In applications that store user-identifiable data in IndexedDB (authentication tokens, user IDs, preference values), read that data across the origin boundary
- Browser fingerprinting: Use the set of stored databases as a fingerprint — since different users have used different web applications, the IndexedDB database enumeration provides a unique fingerprint value
Tor Browser: Elevated Privacy Risk
For standard Firefox users, the practical risk is cross-site tracking and targeted fingerprinting — significant but within the expected threat model of a general-purpose browser.
For Tor Browser users, the implications are more serious. Tor Browser’s anonymity model depends on strict origin isolation: each browsing tab should be isolated from every other origin, preventing cross-site correlation that could de-anonymise a user. CVE-2026-6770 can allow cross-origin correlation of Tor Browser sessions — if a user’s Tor Browser session has stored any identifiable IndexedDB data (even from a previous session where they were not anonymised), that data can be read by an adversarial page, potentially linking their anonymised Tor session to their real identity.
For journalists, activists, and others relying on Tor Browser for anonymity against sophisticated adversaries, this class of vulnerability has higher practical stakes than for general users.
Affected Versions and Patching
- Firefox: All versions prior to 130.0.1. Update via
Help → About Firefox. - Firefox ESR: Versions prior to 128.2.1 ESR.
- Tor Browser: Tor Browser 14.5.3 and earlier; update to 14.5.4 or later via the Tor Browser update mechanism.
The fix implements correct storage partition key derivation in the shared worker and service worker code paths, ensuring IndexedDB access is correctly scoped to the initiating origin regardless of worker context.
Tor Browser users in high-risk situations (journalists, activists, human rights workers) should treat this as an emergency update and verify Tor Browser is updated before any sensitive browsing session.
Share this article