by: lpapez

Very cool research and wonderfully written.<p>I was expecting an ad for their product somewhere towards the end, but it wasn&#x27;t there!<p>I do wonder though: why would this company report this vulnerability to Mozilla if their product is fingeprinting?<p>Isn&#x27;t it better for the business (albeit unethical) to keep the vulnerability private, to differentiate from the competitors? For example, I don&#x27;t see many threat actors burning their zero days through responsible disclosure!

4/22/2026, 7:07:47 PM

by: firefax

The OP&#x27;s link is timing out over Tor for me, but the Wayback[1] version loaded without issue.<p>Also, does anyone know of any researchers in the academic world focusing on this issue? We are aware that EFF has a project that used to be named after a pedophile on this subject, but we are more looking for professors at universities or pure research labs ala MSR or PARC than activists working for NGOs, however pure their praxis :-)<p>As privacy geeks, we have become fascinated with the topic -- it seems that while we can achieve <i>security</i> through extensions like noscript or ublock origin or firefox containers (our personal &quot;holy trinity&quot;), anonymity slips through our fingers due to fingerprinting issues. (Especially if we lump stylometry in the big bucket of &quot;fingerprinting&quot;.)<p>[1] <a href="https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20260422190706&#x2F;https:&#x2F;&#x2F;fingerprint.com&#x2F;blog&#x2F;firefox-tor-indexeddb-privacy-vulnerability&#x2F;" rel="nofollow">https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20260422190706&#x2F;https:&#x2F;&#x2F;fingerpri...</a>

4/22/2026, 9:09:48 PM

by: SirMaster

I question why websites can even access all this info without asking or notifying the user.<p>Why don&#x27;t browsers make it like phones where the server (app) has to be granted permission to access stuff?

4/22/2026, 8:23:24 PM

by: codedokode

Honestly it seems that most of Web Standards are used mostly for fingerprinting - I think a small number of websites uses IndexedDB (who even needs it) for actually storing data rather than fingerprinting.<p>That&#x27;s why expansion of web standards is wrong. Browser should provide minimal APIs for interacting with device and features like IndexedDB can be implemented as WebAssembly library, leaking no valuable data.<p>For example, if canvas provided only access to picture buffer, and no drawing routines calling into platform-specific libraries, it would become useless for fingerprinting.

4/22/2026, 8:32:33 PM

by: bawolff

From the sounds of this it sounds like it doesn&#x27;t persist past browser restart? I think that would significantly reduce the usefulness to attackers.

4/22/2026, 7:22:00 PM

by: Meneth

I&#x27;m confused.<p>The IndexedDB UUID is &quot;shared across all origins&quot;, so why not use the <i>contents</i> of the database to identify browers, rather than the ordering?

4/22/2026, 8:00:04 PM

by:

4/22/2026, 7:34:12 PM

by: sva_

Does Tor Browser still allow JavaScript by default? Because if you block execution of JavaScript, you won&#x27;t be affected from what I understand.

4/22/2026, 7:12:30 PM

by: crazysim

I would imagine most users of Tor are using Tor Browser. I am reading there was a responsible disclosure to Mozilla but is it me or did that section leave out when the Tor Project planned to respond or release a fixed Tor Browser? Do they like keep very close or is there a large lag?

4/22/2026, 7:07:24 PM

by: anthk

The best for Tor would just be Links2&#x2F;Links+ with the socks4a proxy set to 127.0.0.1:9050, enforcing all connection thru a proxy in the settings (mark the checkbox) and disabling cookies altogether.

4/22/2026, 8:02:24 PM

by: fsflover

It seems Qubes OS and Qubes-Whonix are not affected.

4/22/2026, 7:08:55 PM

by: LoganDark

&gt; For developers, this is a useful reminder that privacy bugs do not always come from direct access to identifying data. Sometimes they come from deterministic exposure of internal implementation details.<p>&gt; For security and product stakeholders, the key point is simple: even an API that appears harmless can become a cross-site tracking vector if it leaks stable process-level state.<p>This reads almost LLM-ish. The article on the whole does not appear so, but parts of it do.

4/22/2026, 8:02:27 PM

by: shevy-java

Well that sucks. I guess in the long run we need a new engine and different approach. Someone should call the OpenBSD guys to come up with working ideas here.

4/22/2026, 7:22:58 PM