Firefox and Tor Browsers Affected by Privacy-Tracking Vulnerability
Security firm Fingerprint uncovered a privacy flaw in Firefox and the Tor Browser that could allow websites to track users even in private browsing or anonymity-focused modes. The vulnerability, stemming from low entropy in how browsers retrieve non-sensitive metadata, created unique system fingerprints that persisted despite privacy protections.
Mozilla addressed the issue in Firefox 150, released on April 21, 2026, after Fingerprint responsibly disclosed the flaw. The weakness exploited inconsistencies in database metadata retrieval, enabling tracking across sessions undermining the privacy assurances of private browsing and Tor’s anonymity features.
The discovery highlights broader risks in browser security, particularly as AI-driven tools like Anthropic’s Claude Mythos may uncover similar vulnerabilities in the future. While the patch resolves the immediate threat, the incident underscores the ongoing challenges in maintaining robust privacy protections.
Source: https://securityboulevard.com/2026/04/privacy-vulnerability-in-firefox-and-tor-browsers/
Mozilla TPRM report: https://www.rankiteo.com/company/mozilla-corporation
"id": "moz1776991692",
"linkid": "mozilla-corporation",
"type": "Vulnerability",
"date": "4/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'customers_affected': 'Firefox users',
'industry': 'Technology/Browser',
'name': 'Mozilla Firefox',
'type': 'Software'},
{'customers_affected': 'Tor Browser users',
'industry': 'Technology/Browser',
'name': 'Tor Browser',
'type': 'Software'}],
'attack_vector': 'Browser Metadata Retrieval',
'data_breach': {'sensitivity_of_data': 'Low (metadata-based)',
'type_of_data_compromised': 'User tracking fingerprints'},
'date_resolved': '2026-04-21',
'description': 'Security firm Fingerprint uncovered a privacy flaw in Firefox '
'and the Tor Browser that could allow websites to track users '
'even in private browsing or anonymity-focused modes. The '
'vulnerability, stemming from low entropy in how browsers '
'retrieve non-sensitive metadata, created unique system '
'fingerprints that persisted despite privacy protections.',
'impact': {'brand_reputation_impact': 'Potential erosion of user trust in '
'privacy features',
'data_compromised': 'User tracking data (fingerprinting)',
'systems_affected': 'Firefox and Tor Browser'},
'investigation_status': 'Resolved',
'lessons_learned': 'Ongoing challenges in maintaining robust privacy '
'protections, especially in anonymity-focused tools like '
'Tor Browser.',
'post_incident_analysis': {'corrective_actions': 'Patch released in Firefox '
'150 to address metadata '
'inconsistencies',
'root_causes': 'Low entropy in browser metadata '
'retrieval mechanisms'},
'recommendations': 'Regular audits of browser metadata handling, adoption of '
'AI-driven vulnerability detection tools like Anthropic’s '
'Claude Mythos.',
'references': [{'source': 'Fingerprint (security firm)'}],
'response': {'containment_measures': 'Patch released in Firefox 150',
'remediation_measures': 'Fixed low entropy metadata retrieval',
'third_party_assistance': 'Fingerprint (security firm)'},
'title': 'Firefox and Tor Browsers Affected by Privacy-Tracking Vulnerability',
'type': 'Privacy Vulnerability',
'vulnerability_exploited': 'Low entropy in database metadata retrieval'}