Firefox, Thunderbird and Tor Browser Vulnerabilities Revealed Cross Site Tracking Without Cookies

EXECUTIVE SUMMARY:

CVE-2026-6770 is a privacy vulnerability with a CVSS score of 6.5 affecting Mozilla Firefox, Thunderbird, and Tor Browser that allowed websites to fingerprint users and correlate browsing activity across different sites by exploiting the ordering of entries returned by IndexedDB. The flaw exposed a stable, process-level identifier that persisted even in Firefox Private Browsing mode after private windows were closed, and in Tor Browser even after using the “New Identity” feature, defeating expected privacy protections designed to prevent session linking and tracking. Because the issue required no user interaction, attackers could silently use it for cross-origin tracking and user identification during an active browser session. Mozilla and the Tor Project have released security updates to address the issue.[emaillocker id="1283"]

RECOMMENDATION:

We recommend you to update Firefox to below version: Firefox to version 150.0 or later. Firefox ESR to version 140.10.0 or later. Thunderbird to version 150.0 or later. Tor Browser to version 15.0.10 or later.

REFERENCES:

The following reports contain further technical details:
https://securityaffairs.com/191374/security/firefox-bug-cve-2026-6770-enabled-cross-site-tracking-and-tor-fingerprinting.html