U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Firefox bug CVE-2026-6770 enabled cross-site tracking and Tor fingerprinting

CVE-2026-6770 let attackers fingerprint Firefox and Tor users, even in Private mode. Firefox 150 and Tor Browser 15.0.10 fixed it. A vulnerability, tracked as CVE-2026-6770, allowed attackers to fingerprint Firefox users, even in Private Browsing, and also impacted the Tor Browser. The flaw worked even when Tor’s New Identity feature was used, bypassing protections meant […]

Firefox Tor CVE-2026-6770

CVE-2026-6770 let attackers fingerprint Firefox and Tor users, even in Private mode. Firefox 150 and Tor Browser 15.0.10 fixed it.

A vulnerability, tracked as CVE-2026-6770, allowed attackers to fingerprint Firefox users, even in Private Browsing, and also impacted the Tor Browser.

The flaw worked even when Tor’s New Identity feature was used, bypassing protections meant to reset sessions and prevent linking activity across sites.

CVE-2026-6770 is a medium-severity information disclosure flaw in Firefox and Thunderbird’s IndexedDB that allows unauthorized access to client-side data. It can enable cross-origin tracking, exposing stable identifiers even in Private Browsing and Tor sessions.

An attacker can exploit the issue without user interaction; the bug poses privacy risks despite no active exploits. Mozilla patched it in Firefox 150, ESR 140.10, and Thunderbird updates released April 21, 2026.

The Tor Project release Tor Browser 15.0.10 to fix the problem.

The researchers who found the vulnerability report that websites can use it to fingerprint a browser session and link user activity across different sites. The identifier persists for the lifetime of the browser process, even after closing Private Browsing windows, and remains unchanged in Tor Browser despite using the “New Identity” feature, undermining expected privacy and unlinkability protections.

“The issue allows websites to derive a unique, deterministic, and stable process-lifetime identifier from the order of entries returned by IndexedDB, even in contexts where users expect stronger isolation.” wrote the researchers. “This means a website can create a set of IndexedDB databases, inspect the returned ordering, and use that ordering as a fingerprint for the running browser process. Because the behavior is process-scoped rather than origin-scoped, unrelated websites can independently observe the same identifier and link activity across origins during the same browser runtime. In Firefox Private Browsing mode, the identifier can also persist after all private windows are closed, as long as the Firefox process remains running. In Tor Browser, the stable identifier persists even through the “New Identity” feature, which is designed to be a full reset that clears cookies and browser history and uses new Tor circuits.”

The flaw undermines core privacy expectations: sites shouldn’t link users across contexts, and private sessions should leave no trace. Instead, Firefox’s IndexedDB exposes a deterministic, process-level identifier via the ordering of database names returned by indexedDB.databases(). In Private Browsing, database names are mapped to UUIDs stored in a global hash table shared across all origins and lasting until the browser fully restarts. Because results are returned using hash table iteration without sorting, the order becomes a stable, high-entropy fingerprint consistent across tabs, sites, and sessions, even persisting after closing private windows and through Tor Browser’s “New Identity.” This enables cross-origin and same-origin tracking without cookies.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2026-6770)