Researchers have discovered a vulnerability in Firefox that allows websites to fingerprint users even in Private Browsing mode and affects the Tor anonymity browser. The flaw, tracked as CVE-2026-6770, involves the IndexedDB browser API where database names are stored using internal UUID mappings that maintain consistent ordering across different sites during the same browser session, enabling unrelated sites to link user activity across domains without cookies. Mozilla has patched the issue in Firefox 150, and the Tor Project has rolled out the fix in Tor Browser version 15.0.10, closing a loophole that could effectively defeat Tor's "New Identity" isolation feature.